Single sign-on (SSO) is a session and user authentication service that permits a user to use a single set of login credentials to access multiple applications. Example: Google, LinkedIn, Twitter, and Facebook - all offer popular SSO services that allow an end-user to log into a third-party application with their social media authentication credentials.
Some SSO services use protocols such as the security assertion markup language (SAML).
SAML is an XML standard that facilitates the exchange of user authentication and authorization data across secure domains. SAML-based SSO services involve communications between the user, an identity provider that maintains a user directory, and a service provider.
It allows the user to log in using the single set of login credentials provided by their organization to access multiple applications.
When a user of an organization (that has implemented SSO using SAML 2.0) opens the sign-in page of Fyle and enters their email address, he/she is redirected to another page hosted on their company server. Here, the user provides a single set of credentials associated with their organization. After entering the SSO login credentials, the user is redirected back to Fyle and lands on the Dashboard page directly.
How to enable it?
SSO can be enabled for an organization if they have an infrastructure for SSO using SAML 2.0 in place. For organizations that don’t support SSO or support SSO but not via SAML 2.0, this feature does not make sense.
If an organization has the infrastructure for SSO, the admin can enable support for SSO from the Settings page under the Account tab by selecting Security.
Click on Configure SSO for this org. Next, you’ll have to provide two mandatory details:
IDP Name - This will be used to generate the ACS URL and to uniquely identify the identity provider (i.e., the organization setting up SSO) on our server.
SAML Metadata File - Attach the SAML metadata file required for the SSO integration.
Note:- On the Fyle server, we use the email address as the primary key to identify the user. The identity provider is required to map the NameID field to the emailAddress of the user.
Click here to read more about common SAML terms.
Once the SSO integration is enabled, the users will have to log in only via SSO. Care must be taken while enabling the feature because providing incorrect details will block the users from logging in successfully.
How does it work?
Go to our login page - https://accounts.fylehq.com/app/router/#/signin. Here, enter the email ID for sign-in. If the domain of the email ID is that of an organization for whom SSO has been enabled, then it directly redirects to the login page on their own server.
After providing the login credentials there, if you’re an authentic employee of that company, you will be authorized and redirected back to Fyle home page. That's it!
If you have any queries regarding setting up SSO, reach out to us at firstname.lastname@example.org.