Single Sign-On (SSO)

To set up SSO, an administrator with the appropriate permissions must configure the settings within the company's profile.

Required Permissions
To perform this setup, you must have the Manage My Company SSO Settings permission assigned to your role.

Configuration Steps

1. Navigate to the Company SSO Settings page from the administration menu.

2. On this page, you will need to enter the OAuth 2.0 credentials obtained from your identity provider's application configuration. While field names may vary between providers, they typically include:

   • Client ID: The unique identifier for your application from the IdP.

   • Client Secret: The secret key generated for your application in the IdP.

   • Tenant ID / Other Identifiers: Your IdP-specific tenant or directory identifier.

   • Default Role: The role automatically assigned to new users created via SSO from the identity provider.

3. Ensure the following Redirect URL is correctly entered into your IdP's application registration settings: https://backteam.ds.finverity.com/oauth/access-result. An incorrect URL will cause the authentication process to fail.

4. After filling in the required fields, click Save. A confirmation message will appear indicating that the settings have been saved successfully.

Once SSO is enabled for a company, all users belonging to that company are required to authenticate via the configured identity provider. The standard username and password login method is disabled for them.

• Login Flow: When a user from an SSO-enabled company attempts to log in, they enter their email address. The system identifies their company's authentication method and automatically redirects them to the configured IdP's login page.

• Authentication Enforcement: If an SSO-enabled user tries to use the standard login form with a username and password or attempts a password reset, the system will prevent the action. While the user receives a generic "wrong credentials" message, the backend logs will note that the user is configured for SSO. This prevents unauthorized access methods without revealing the company's security configuration.

• User Provisioning: New users created in the identity provider can be automatically provisioned on the Finverity platform. Likewise, users who are disabled or deleted in the IdP will be disabled in the platform.

• Successful Authentication: After successfully authenticating with the IdP, the user is redirected back to the Finverity platform and granted access. The system is designed to return the user to the specific page they were originally trying to access before being prompted to log in.

Enabling SSO and Managing User Accounts

When an organization enables SSO, it streamlines the login process and centralizes user management. Here’s what you need to know about how user accounts are affected:

• Existing Users: When SSO is enabled, current users in the system are not deleted or recreated. Instead, their accounts are modified to be linked with the SSO provider. All their existing permissions, roles, and associations within the platform will be preserved. This ensures a seamless transition for your team without any loss of historical data or access rights.

• New Users: If a user logs in via SSO but does not yet have an account on the Finverity platform, a new user profile will be automatically created for them. This new user will be assigned a default role.

• Role Management: After a new user is created with a default role via SSO, an administrator from the client’s side can then modify the user's role as needed. This allows for proper access control and ensures that users have the appropriate permissions for their responsibilities.

This process is designed to be straightforward and maintain the integrity of user data while enhancing security and user experience through SSO. If you have any further questions or require assistance with your SSO setup, please do not hesitate to reach out to the IT Help Desk.