Single Sign-On
You may have heard of SSO, but maybe you are not sure what it is and if it would be helpful for your organization? Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. This means, the login credentials you use every day on other systems within your company, can be connected to Passport in a way that does not require you to manage separate logins.
SSO advantages include:
- Improves compliance through centralized user management.
- Eliminates credential reauthentication and reduces help desk requests; thus, improving productivity.
- Streamlines local and remote application and desktop workflow.
- Minimizes phishing.
Passport supports Single-Sign-On (SSO) for your organization via SAML/2.0 Gateway. Once SSO has been enabled for your account, it is no longer possible to sign in with the login name and password on the Sign In page.
SAML Integration
Passport allows your users to sign in via your SAML/2.0 Identity Provider (IdP).
This includes organizations with their own SSO infrastructure, as well as organizations using services such as OneLogin and Active Directory Federation Services (ADFS). When SAML is configured, we will give you a unique login link to Passport. Hitting this link will trigger the SSO process and log your users into their Passport account.
We will supply the following information:
- SAML login URL (where a user should visit to initiate a login)
- The SAML metadata from the Passport system to act as the Service Provider (SP)
To configure SAML, we simply require two pieces of information:
- The Identity Provider Details, in the form of your SAML metadata XML
- Passport Users provisioned by file (preferred) or manual addition. The format of the files and guidance on user management can be found here. Email addresses for user accounts will need to be unique.
And that's it!
If you have a SAML or system administrator, you can provide them with the information we will supply to you, and have them contact Support@providertrust.com directly to coordinate the integration.
Technical FAQs
- Does the application support SAML 2.0? Yes
- Does the application support SP-initiated SSO or Idp-initiated SSO?
SP-initiated SSO (Service Provider initiated SSO). When you visit subdomain-passport.providertrust.com, you get bounced to an SSO login screen and then returned to Passport
- What assertions are needed to send in the SAML token? Passport will use an email address to link Passport users to your users.
Necessity Outgoing Claim Type Required Name ID Required
E-Mail Address Recommended Given Name Recommended Surname Recommended Name - Does Passport support a Multi IDP Environment? Not today. Please let us know if this functionality is required for your organization.
- Does Passport support provisioning user accounts through SAML? No, clients will need to provision Passport user accounts via file (preferred) or manual addition. The format of the files and guidance on user management can be found here. Email addresses for user accounts will need to be unique.
- Does Passport support welcome emails to new users? Yes, the application will provide a custom Welcome Email that can be sent at the client’s discretion for directing users to the correct login URL. This email will not include any reference to password.
- Once we have gone live, is there anything else that's needed? Yes, your SSO certificate provided with your metadata will have an expiration date set by your technical team. Sometimes that's every year, sometimes it's every 5 years. If the certificate is not replaced before the expiration date, your users will be unable to access ProviderTrust applications. A valid, up-to-date certificate is needed in order to ensure that all login requests are legitimate.
If your organization is interested in adding SSO to your services, please reach out to Client Success to discuss adding it to your product offering.