Federated SSO
How to manage Single Sign-On in ETO #SSO #SingleSignOn #Login
Updated over a week ago

Looking for FAQs? Head over to this article!

What is SSO?

Single sign-on, or SSO, is an authentication process that allows a user to log in with a single set of credentials to multiple, independent software systems.

Please note: ETO is not an SSO provider. This feature is meant to link ETO to your existing SSO configuration. If you do not currently have SSO set up and running in your organization, please contact your internal IT team. If you are currently using SSO elsewhere in your organization, and would like to include ETO, you will use this feature to do so.

To add Federated SSO to your ETO experience, please reach out to ETO Support via chat or email at eto@bonterratech.com.

Overview

Federated SSO utilizes a SAML 2.0 protocol to allow Enterprise Managers to include ETO in their SSO configuration. This increases security and improves user experience by allowing users to authenticate into ETO using their existing Identity Provider.

Note: SSO is not supported for ETO Multi factor authentication (MFA) for organizations that enable SSO


How to configure Federated SSO in ETO

Federated SSO is available to Enterprise Managers via the Side Navigation.

  1. Select Enterprise, then Manage Federated SSO.

  2. This will load the Federated Identity Providers page with the SSO pool ID and SSO pool domain name.

  3. Please use this information to generate the metadata XML file in your identity provider. Example: Azure, G Suite, etc.

  4. The metadata file can either be uploaded by clicking on the “Select XML file” button or entering the URL in the metadata textbox.

  5. Please verify or enter the email attribute for your provider. The email attribute exists in the metadata file or on the Identity Provider setup page.

  6. Click Save.

  7. This generates a login URL which can be copied using the Copy URL button. Share this URL with users who need to login through SSO.

Removing the Configuration

Deleting the SSO configuration will prevent users from logging into ETO using the SSO URL. Users will need to log into ETO with the correct ETO address depending on location:
US Private: https://secure.etosoftware.com
US Public: https://secure.etosoftware.us
AU: https://secure.etosoftwareau.com/
Canada: https://secure.etosoftware.ca

To delete an existing SSO configuration:

  1. In the Side Navigation, select Enterprise, then Manage Federated SSO.

  2. Select the ellipsis (3 dots) on the Federated SSO page.

  3. Select Delete Configuration.

  4. On the prompt, click Continue to delete the configuration, or Cancel to return to the Manage Federated SSO page without making changes.

Updating the Configuration

When using Federated SSO, any new users to ETO will need to exist in the SSO provider as well. Their emails must match exactly. When adding new users, there is no need to update the configuration file. It will update automatically as new users are added to the SSO provider.

Troubleshooting Login Issues

For users who are unable to log in, please pay close attention to the error message received.

If the error message originates from your organization's SSO provider, please work with your Enterprise Manager or IT team to correct the issue.

If the error message originates from ETO (this may appear as a generic error in the top left of an otherwise blank page), please contact ETO Support. It's possible you may still need to work with your Enterprise Manager to resolve these types of issues.

Locked Accounts

If an account is locked inside of ETO, the end-user will see this message. The admin can unlock the account through Manage Site Navigation.

ETO Permissions

All ETO permissions including program access, reporting role, caseload access, etc. is controlled in ETO through Manage User Accounts.

Password Expiration Dates

  • Standard Login - Maximum Password age in days would still apply to the end-user

  • SSO Login - Maximum Password age does not apply, this would be controlled by your Identity Provider (IDP)


Setup ETO SSO with Azure

Create an Azure Enterprise Application

  1. Open Office 365 Admin Center > Azure Active Directory

  2. Go to Enterprise Applications

  3. Choose + New application

  4. Choose + Create your own application

  5. Create the name of your application and choose Integrate any other application you don’t find in the gallery (Non-gallery) > Press Create

Configure Azure Enterprise Application

  1. Navigate to your newly create Azure Enterprise Application under Enterprise Applications > All applications > YourAppName.

  2. Under manager > Choose Single-sign on > Choose SAML

  3. Click Edit

  4. Under Identifier (Entity ID) choose Add identifier. Fill in the identifier with your ETO tenant’s SSO Pool ID from your ETO Managed Federated SSO page.

    Please add the entity id with the following text as the prefix: urn:amazon:cognito:sp: <YourSSOPOOLID>


  5. Under Reply URL (Assertion Consumer Service URL) choose Add reply URL. Fill in the reply URL with your SSO POOL DOMAIN NAME from your ETO Managed Federated SSO page.

  6. Click Save.

  7. Scroll down the page to the SAML Signing Certificate section.

  8. Navigate to your Managed Federated SSO page and click Add SAML

  9. Copy the App Federated Metadata Url and paste the information into the Provide a metadata document endpoint URL > Click SAVE

Adding SSO Users

  1. Navigate to Users and groups inside the Enterprise Application.

  2. Choose + Add user/group

  3. Choose specific users or provisioned groups to allow users you want to have SSO Capabilities with ETO > Click Assign.

SSO Completed

You will now be presented a LOGIN APP URL in which you can use directly or setup a page redirect with a shorter page/domain name to login to ETO via Azure SSO. You can add this URL to your Azure SSO configuration in the field titled "Sign on URL".

Did this answer your question?