Single Sign-On Overview
Single Sign-On (SSO) enables users to sign into the Claravine platform using their organization-managed credentials, instead of managing a different login specific to Claravine. In practice, this changes the Claravine login page to have users log in at your company’s login page like the example below.
SSO is an enterprise feature that greatly increases overall security by managing their organization’s users in one place. For example, if a user leaves an organization, their Claravine access will automatically be turned off when the IT group disables their company account. SSO also reduces overall data security risk to Claravine Admins, because they no longer control who has and doesn’t have access to the application.
SSO is available based on a customer's subscription tier.Please reach out to your CSM and/or Account Executive for more details.
SSO Implementation Types
Claravine offers flexible SSO integration types to match the needs of each organization:
-
SSO authentication and authorization — IT manages users (internal and external) by adding attributes to the user in the organization's Identity Provider. These attributes will specify what kind of access the user should have in Claravine: no access, user access, manager access, or admin access.
- Group access and Permissions are assigned in Claravine. (SSO determines access and role)
-
SSO authentication only — IT manages users (internal and external) by adding attributes to the user in the organization's Identity Provider. These attributes will specify what kind of access the user should have in Claravine: no access, access.
- User type, Group access, and Permissions are managed by admins in Claravine. (SSO determines access only)
-
SSO authentication in addition to Claravine authentication (not recommended) — IT manages internal users only, and admins manage external users in Claravine.
- User type, Group access, and Permissions are managed by admins in Claravine. (SSO determines internal access only)
- Most organizations opt to manage outside agencies’ access through IT as well—either by giving outside agencies organization-specific accounts or by specifying attributes on outside account email addresses
Next Steps
- Determine the desire SSO implementation type with your internal IT/SSO team.
- Provide the kick-off information (SSO type, go-live date, name/email of IT/SSO team member, PNG logo to be used on the SSO login page, SSO provide (SAML or OPIDC).
- Claravine will provide the staging account ACS URL and Entity ID. You provide the staging Metadata XML file and Certificate in PEM or CER format for the staging account.
- Work closely with Claravine to test the staging SSO configuration. Once confirmed, work closely with Claravine to test the production (live) SSO configuration.
- Remember to communicate to all users of the upcoming change.
Technical Architecture
Claravine partners with highly credentialed Auth0 for utmost security and flexibility.
Source https://auth0.com/security/
Auth0 interfaces directly with an SSO organization’s identity provider through one of many available SSO interfaces (e.g., SAML 2, Active Directory, ADFS, etc.), then Claravine connects to Auth0 through OAuth 2 Code Flow.
See the diagram below for an example of service provider initiated login using SAML.
Frequently Asked Questions
-
What types of SSO providers does Claravine support?
- Claravine has been able to support every enterprise identity provider requested, but feel free to send your identity provider to your CSM to confirm compatibility.
- Claravine has been able to support every enterprise identity provider requested, but feel free to send your identity provider to your CSM to confirm compatibility.
-
How do I transition Claravine users to SSO users without users losing access to their groups, templates, etc?
- SSO users are matched to Claravine users by email address to ensure Claravine assets are unchanged. If for some reason the SSO email will be different form the Claravine email, then Claravine can manually match the two email addresses together to ensure no productivity is lost.
- SSO users are matched to Claravine users by email address to ensure Claravine assets are unchanged. If for some reason the SSO email will be different form the Claravine email, then Claravine can manually match the two email addresses together to ensure no productivity is lost.
-
How will I add users from my Claravine account?
-
Provide the user with the company-specific Claravine URL.
- SSO authentication and authorization: User access will be managed through your IT organization, which has flexibility depending on your specific setup. For example, you may opt to allow any user in your organization access Claravine, or you may want to limit access to a specific department or list of users you provide to your organization’s IT group.
- SSO authentication only: User access will be managed within Claravine. After the user has logged in successfully, an Administrator will assign the group and permissions in Claravine by going to Admin>Users.
- If you are loading a large number of users, communicate with your CSM for Claravine support.
-
Provide the user with the company-specific Claravine URL.
-
How will I change users’ roles when that feature is managed outside Claravine?
- Changing a user’s role also varies depending on your specific setup. If authorization is managed through your organization’s IT group, then you’ll need to work with them to change user roles. Once the user logs in the next time, their role will be updated. If your organization only managed authentication, then you’ll be able to change user roles directly in Claravine.
- Changing a user’s role also varies depending on your specific setup. If authorization is managed through your organization’s IT group, then you’ll need to work with them to change user roles. Once the user logs in the next time, their role will be updated. If your organization only managed authentication, then you’ll be able to change user roles directly in Claravine.
-
My IT organization added new users or changed a user’s role, but I don’t see that reflected in Claravine—what’s going on?
- Changes made by your IT organization are only reflected in Claravine when that user attempts to log in. For example, when your organization’s IT changes a user to a Claravine Admin, you won’t see that user as an Admin in Claravine until that user logs into Claravine again.
- Changes made by your IT organization are only reflected in Claravine when that user attempts to log in. For example, when your organization’s IT changes a user to a Claravine Admin, you won’t see that user as an Admin in Claravine until that user logs into Claravine again.
-
A user no longer works for my organization, but I still see that user in Claravine—what’s going on?
- The user no longer has access to Claravine, but Claravine doesn’t know that fact until the user attempts to log in. If you would like to hide any old users from appearing in Claravine, then please send a list of those users to your Claravine CSM.
- The user no longer has access to Claravine, but Claravine doesn’t know that fact until the user attempts to log in. If you would like to hide any old users from appearing in Claravine, then please send a list of those users to your Claravine CSM.
-
What attributes are necessary to create an account?
- Email address, first name, and last name.
- Email address, first name, and last name.
-
How do I log out? Is there a log-out button?
-
Since being logged in is controlled via your SSO provider, there isn't a way from within Claravine to log out. To end your session, just close the Claravine window(s) on your browser.
If you should need to log in with a different user account then you'd need to use a different browser or log in via an incognito mode window.
-
Since being logged in is controlled via your SSO provider, there isn't a way from within Claravine to log out. To end your session, just close the Claravine window(s) on your browser.
-
How are user roles and permissions provisioned?
- Claravine uses Just In Time Provisioning and we do not support IDP initiated SSO. JIT Provisioning means new users are added at the time of login and other updates (email, permission, roles) will be updated upon their next login.
What's next: read the How Do I Manage Users with SSO Knowledge Base article for more information.
Comments
0 comments
Article is closed for comments.