Single Sign On

July 25, 2024
|
Integration

Single Sign On (SSO) is an enterprise security feature that allows organizations to:

  • Provide employees with the convenience of a single set of credentials for all information systems that they use.
  • Centrally control password policies (eg: complexity, minimum length, maximum age, MFA, etc) for all information systems.
  • Centrally grant access to employees for specific information systems.
  • Centrally revoke access to all information systems in one action when an employee is terminated.

NoahFace supports SSO by integrating with 3rd party platforms that support the Security Assertion Markup Language (SAML 2.0) standard. For example:

  • Okta
  • Microsoft Azure
  • OneLogin
  • Auth0

SSO functionality is available to all NoahFace customers on Enterprise Plans.

Signing In Using SSO

Employees can sign in using SSO by navigating to the NoahFace Dashboard login panel and selecting Sign In with SSO:

They then enter their SSO Domain (eg: the name of the company they work for) and press Sign In:

If they are already logged in to their SSO platform, they will be immediately logged into NoahFace, otherwise they will be automatically redirected to the login screen for their SSO platform.

Configuring SSO in NoahFace

Single Sign On is must be configured both in the NoahFace Dashboard and in your SSO platform. The NoahFace settings can be found under Security Settings:

Each of the settings are explained below:

SAML Single Sign On. Enable this switch when you have completed your setup and are ready to test your SSO process.

SSO Domain. This is a user-defined identifier that links the NoahFace sign in panel to your Organization, and is typically your company name (eg: "Acme"). If you have multiple NoahFace Organizations, each Organization must have a unique identifier (eg: "Acme Dev", "Acme Test", "Acme").

NoahFace Dashboard Single Sign-On URL. This is a link that can be shared with users so they can directly navigate to the NoahFace Dashboard, without first navigating to the NoahFace Dashboard Sign In panel.

NoahFace Identifier (Entity ID). This is a system-defined unique identifier for your Organization. It will be needed when you set up NoahFace as a resource within your SSO platform.

NoahFace Assertion Consumer Service (ACS) URL. This is a link that your SSO platform calls as part of the SSO process. It will be needed when you set up NoahFace as a resource within your SSO platform.

SAML Entity Id. This is the identifier assigned to NoahFace within your SSO platform. You will need to copy it from your SSO platform and paste it here.

SAML Sign-On URL. This is the URL to the sign on screen for your SSO platform. You will need to copy it from your SSO platform and paste it here.

SAML Certificate Fingerprint. This is the public certificate used to encrypt the SSO process. You will need to copy it from your SSO platform and paste it here.

SAML Logout Redirection URL. This is the URL that the NoahFace Dashboard redirects to when a user signs out.

Configuring SSO in Okta

To configure NoahFace SSO in Okta, select Create App Integration under Applications and select SAML 2.0:

In section one of Create SAML Integration (General Settings), enter the name "NoahFace". If you have multiple NoahFace Organizations, you should choose an appropriate name for each (eg: "NoahFace Dev", "NoahFace UAT", "NoahFace"). You can optionally add the NoahFace logo so that it will appear in the Okta Dashboard.

In section two of Create SAML Integration (Configure SAML):

  • Copy the NoahFace Assertion Consumer Service (ACS) URL from your NoahFace settings into the Single Sign-On URL.
  • Copy the NoahFace Identifier (Entity ID) from your NoahFace settings into the Audience URI (SP Entity ID).
  • Select "Email" for the Application Username.

Once you have saved your integration, select the Sign On tab for your "NoahFace" application and expand the More Details section under SAML 2.0. You can then:

  • Copy the Sign On URL to the SAML Single Sign On in your NoahFace settings.
  • Copy the Sign Out URL to the SAML Logout Redirection URL in your NoahFace settings.
  • Copy the Issuer to the SAML Entity Id in your NoahFace settings.
  • Download the Signing Certificate.
  • Open it in a text editor and extract the fingerprint (everything between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----").
  • Copy this to the SAML Certificate Fingerprint in your NoahFace settings.

You can then assign users and groups to the "NoahFace" application on the Assignments tab.

Configuring SSO in Microsoft Azure

To configure NoahFace SSO in Microsoft Azure, select New Application under Enterprise Applications and enter the name "NoahFace". If you have multiple NoahFace Organizations, you should choose an appropriate name for each (eg: "NoahFace Dev", "NoahFace UAT", "NoahFace"):

Select Assign Users and Groups and assign the users or groups you want to have access to NoahFace:

Select Set Up Single Sign On:

Select SAML:

In section one of Set up Single Sign-On with SAML:

  • Copy the NoahFace Identifier (Entity ID) from your NoahFace settings to the Identifier (Entity ID) in your Azure settings.
  • Copy the NoahFace Assertion Consumer Service (ACS) URL from your NoahFace settings to the Reply URL (Assertion Consumer Service URL) in your Azure settings.
  • Copy the NoahFace Dashboard Single Sign-On URL from your NoahFace settings to the Sign on URL in your Azure settings.

In section three of Set up Single Sign-On with SAML:

  • Download the Certificate (Base64) from your Azure settings.
  • Open it in a text editor and extract the fingerprint (everything between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----").
  • Copy this to the SAML Certificate Fingerprint in your NoahFace settings.

In section four of Set up Single Sign-On with SAML:

  • Copy the Login URL from your Azure settings to the SAML Sign-On URL in your NoahFace settings.
  • Copy the Microsoft Entra Identifier from your Azure settings to the SAML Sign-On URL in your NoahFace settings.
  • Copy the Logout URL from your Azure settings to the SAML Logout Redirection URL in your NoahFace settings.

Provisioning Users

Users must be provisioned in NoahFace and assigned a Dashboard Role (ie: Administrator, Manager, Viewer) in order to sign in with SSO.

Users are automatically provisioned in NoahFace on the next scheduled synchronization after they are added to your HR platform (assuming they meet your synchronization filtering criteria). The NoahFace user identifier is a user's email address, so email addresses must always be provided as an attribute in your synchronization.

Users are automatically unprovisioned in NoahFace on the next scheduled synchronization after they are terminated in your HR platform.

Users can be assigned a Dashboard Role either automatically, as part of your user synchronization, or manually, from within the NoahFace Dashboard.

Completing Your SSO Setup

Once you have configured NoahFace, configured your SSO Platform, and provisioned your users, you are ready to test Single Sign On to the NoahFace Dashboard.

To do this, enable Single Sign-On as follows (when you do this, both Local Sign-On and SSO will be possible):

Finally, assuming everything is working, you can disable Local Sign-On as follows:

Privacy
Legal
Terms of Use
Contact Us
© NoahFace 2018
.