This article provides instructions on how to enable single sign-on (later: SSO) for the users in your Applixure account and/or Applixure environment.
What's in this article:
-
SSO support in Applixure
- SSO support using Entra ID
- Limitations of security configuration options for SSO-enabled Environments
-
How to enable SSO for an Account or Environment
- Requiring all users to log in using SSO
- How to enable SSO for individual users
SSO support in Applixure
Applixure Analytics, Workflow and Feedback products use a common authorization flow to authenticate Applixure user accounts into each product. Using this shared authentication service, logging on to one product automatically enables you to log on to another Applixure product seamlessly. Each user account logging on to Applixure requires an Applixure user account to exist in the system, and by default, each user account does local [i.e. internal to Applixure] authentication using a password and optionally with a second-factor of time-based one-time password (TOTP) using an authenticator application.
With SSO enabled for the Applixure Account or Environment, you can delegate the authentication portion of the authorization flow to an external identity provider (IdP) that will handle user authentication without the user needing to use the password configured for their Applixure user account. Each user eligible to log on to Applixure's products still needs to exist in Applixure as a separate user account entity, but the external party handles its authentication. Consequently, removing or disabling the associated user account from the external party will automatically prevent logging on to Applixure, even if the Applixure user account still exists.
Enabling SSO for an Account or Environment only concerns those user accounts that the Account or Environment owns. It does not affect any Applixure user accounts authorized to an Environment from elsewhere in Applixure - those user accounts' SSO enablement is dictated by the owning Account's or Environment's SSO settings. Also by default, after enabling SSO support for a given Account or Environment, none of the user accounts owned by that Account or Environment automatically start redirecting users to SSO login in the IdP that had been configured as SSO connection. You will need to enable SSO for each user account separately so that user accounts that perform local authentication can still exist. Or you can force all user accounts owned by that Account or Environment to always perform SSO-based login, in which case none of the Applixure user accounts owned by Account or Environment is able to perform local authentication in Applixure.
Currently, Applixure supports the usage of Microsoft's Entra ID user identities to authenticate user logins via SSO (personal Microsoft Accounts are not supported). Additional IdPs might be supported in the future.
SSO support using Entra ID
When enabling SSO using Entra ID authentication, each Applixure Account or Environment is configured to use a specific Entra ID tenant for SSO logins. Concretely, this means that any user accounts owned by the Account or Environment have to have a matching Entra ID user account in that tenant for the authentication to succeed.
It is not possible to have an Account or Environment-owned Applixure user account that would need to authenticate against an Entra ID user account found from some other tenant from what was configured as the tenant when the SSO was enabled for Account or Environment.
To successfully authenticate using SSO, a user account in Applixure must have a matching login name (e.g. firstname.lastname@company.com) to either the user principal name (UPN) or any of the email aliases (ProxyAddresses) set for an Entra ID user account.
On the first-time SSO-based login attempt by the user, the Applixure authorization service (upon successful authentication from Entra ID) will check that the user account object returned has a matching UPN or, alternatively, email aliases to the login name configured for that user in Applixure. On subsequent SSO-based logins for that user, Entra ID's user account object's unique identifier is used to determine if the authenticated Entra ID user is, in fact, the user account configured in Applixure.
The use of Microsoft Entra ID SSO with Applixure creates an Enterprise Application for the chosen tenant, allowing you to configure applicable access policies or other configuration options for Applixure SSO logins. You will not need to create the application in Entra ID beforehand, as it is automatically created upon setting up the SSO connection for an Account or Environment. Applixure uses OpenID Connect (OIDC)-based authentication flow when performing SSO against Entra ID.
Limitations of security configuration options for SSO-enabled Environments
In Environment settings' Security & restrictions options, it is possible to mandate that all user accounts having access to the Environment must have multi-factor (MFA) authentication set and enabled before accessing that Environment.
If, however, the Environment has SSO enabled and the user account owned by that Environment is configured to perform SSO login or the user account owned by some other Account or Environment is configured to perform SSO login and has access to the Environment having this MFA enforcement setting turned on, Applixure won't require MFA for these user accounts before allowing the access.
The reason for this is that since an external party performs the authentication, and so the user account is not authenticated locally by Applixure's authorization service, the user won't expect to have to set up a separate MFA entry or enter a code just for Applixure as he or she does not authenticate against the Applixure. Furthermore, the configured identity provider performing the SSO authentication might also already mandate the use of some form of multi-factor authentication and having to enter yet another code just for Applixure would be redundant.
How to enable SSO for an Account or Environment
You must perform the configuration in Applixure Analytics to enable SSO for your Applixure Account or Environment users. Depending on the entity you are configuring SSO for, you also need either Account administrator or Environment administrator user permissions.
On the Settings -tab in Analytics Web UI, choose either Account settings or Environment settings:
In the Security & restrictions section of the Account (or Environment) configuration screen, click on the toggle that has the label Enable single sign-on (SSO) for user accounts owned by this account or Enable single sign-on (SSO) for user accounts owned by this environment, depending on the entity.
Selecting the option will take you to a separate SSO configuration page, where SSO is enabled using a three-step process:
- First, you have to select an IdP that is used for SSO logins for this Account or Environment users. As stated earlier, currently, only Microsoft Entra ID is supported for SSO purposes.
- Next, you must authenticate against the chosen IdP using a user account that is the same tenant your Account or Environment users will be authenticated against using user accounts located in that tenant. The user account used for making this connection should have the necessary permissions, allowing it to consent on behalf of all tenant users for the Applixure application.
- Upon successful authentication using an external user account in the intended tenant, the last step is to confirm that you want to enable SSO for the Applixure Account or Environment using that tenant.
Once the SSO configuration for Account or Environment has been saved, you are returned to the Account or Environment settings page, where the SSO option is now shown as enabled, along with the IdP chosen and the tenant's name:
Note: as the SSO IdP and tenant settings are independently configured for each Account or Environment, you can have the same SSO tenant configured for both the Account and Environment if you have user accounts owned by both. Since Applixure user account login names are unique across all user accounts in Applixure, a user that logs in using a specific login name is always associated with the correct Account or Environment even though the same IdP tenant (housing that same user account) is in use for SSO with more than one Account or Environment.
Requiring all users to log in using SSO
If all of your Account or Environment-owned users are found in the chosen IdP provider's tenant and you want to make them use SSO login without explicitly enabling SSO for each user account separately, or you don't want to allow any user accounts to exist in Account or Environment (owned by it) that has capability to perform local authentication, you can enforce SSO logins at the Account or Environment level. Enabling this option prevents Account or Environment-owned Applixure user accounts from using Applixure-provided authentication flow and automatically redirects login to the configured IdP tenant.
You can enable enforced SSO by enabling the toggle found under the SSO configuration setting in the Account or Environment settings screen:
Please note that setting this option does not affect the SSO status of any Applixure user accounts authorized to the Account or Environment from outside the entity being configured.
How to enable SSO for individual users
After enabling SSO at the Account or Environment level, you must next enable SSO for any existing or new Applixure user accounts in that Account or Environment. This will redirect all attempts to log in using the user account to the configured IdP, and Applixure will expect that provider to handle the authentication part of the authorization flow. Once a user account is authenticated externally, Applixure inspects the reported identity reported back from the IdP and associates it with the Applixure user account. If, for any reason, the authenticated user account in the IdP tenant does not match the login name of any Applixure user account, login is denied.
SSO login can be enabled for each user in the Account or Environment User accounts -page, depending on which entity owns the Applixure user account:
In the list of Applixure user accounts, you can recognize those accounts that the Account or Environment owns by the label "Environment owned" or "Account owned". These are the user accounts that can have the SSO status enabled for Accounts and Environments having SSO configured into use. Any other user accounts listed here are owned by some other entity, and their respective SSO configuration must be performed through their owning Account or Environment.
Select Edit for the user account. The User must logon using SSO checkbox is available to select when SSO has been enabled for the owning Account or Environment:
Please verify that the Login username contains the exact same form of user login name as the UPN or possible email aliases configured for the user account found in the configured IdP's tenant. Login names do not have to be identical with regard to lowercase or uppercase spelling, as long as the actual form matches the one configured for a user account in the tenant.
Enable the SSO checkbox, press Update, and close to update the user account's settings. Once saved, the user account always has to perform authentication using SSO for as long as SSO is enabled for the Account or Environment. The user can no longer use any locally configured password and/or MFA settings.
A similar SSO option is also available when creating new users for the Account or Environment, allowing it to be turned on immediately upon user creation.
From the user accounts list, you can visually see which of the accounts have the SSO turned on:
Please note: for any user accounts listed and not owned by the Account or Environment, SSO (or other account state badges) enablement status is not shown for privacy reasons.
0 Comments