Federated SSO | Overview & How-To

How to manage Single Sign-On in ETO #SSO #SingleSignOn #Login

Updated over a week ago

What is SSO?

Single sign-on, or SSO, is an authentication process that allows a user to log in with a single set of credentials to multiple, independent software systems.

Note: ETO is not an SSO provider. This feature is meant to link ETO to your existing SSO configuration. If you do not currently have SSO set up and running in your organization, please contact your internal IT team. If you are currently using SSO elsewhere in your organization and would like to include ETO, you will use this feature to do so.

SSO is available in the United States, Canada, and Australia. To add Federated SSO to your ETO experience, please reach out to ETO Support via chat or email at eto@bonterratech.com.


Federated SSO utilizes a SAML 2.0 protocol to allow Enterprise Managers to include ETO in their SSO configuration. This increases security and improves user experience by allowing users to authenticate into ETO using their existing Identity Provider.

Note: SSO is not supported for ETO Multi-Factor Authentication (MFA) for organizations that enable SSO.

Looking for FAQs? Head over to this article!

How to Configure Federated SSO in ETO

Federated SSO is available to Enterprise Managers via the Side Navigation.

  1. Select Enterprise, then Manage Federated SSO.

  2. This will load the Federated Identity Providers page with the SSO pool ID and SSO pool domain name.

  3. Please use this information to generate the metadata XML file in your identity provider. Example: Azure, G Suite, etc.

  4. The metadata file can either be uploaded by clicking on the “Select XML file” button or entering the URL in the metadata textbox.

  5. Please verify or enter the email attribute for your provider. The email attribute exists in the metadata file or on the Identity Provider setup page.

  6. Click Save.

  7. This generates a login URL which can be copied using the Copy URL button. Users will need to use this URL to utilize SSO.

    1. Note: We do not officially support IDP-initiated sessions, such as ones accessed through a tile in Azure.

Removing the Configuration

Deleting the SSO configuration will prevent users from logging into ETO using the SSO URL. Users will need to log into ETO with the correct ETO address depending on location:
US Private: https://secure.etosoftware.com
US Public: https://secure.etosoftware.us
AU: https://secure.etosoftwareau.com/
Canada: https://secure.etosoftware.ca

To delete an existing SSO configuration:

  1. In the Side Navigation, select Enterprise, then Manage Federated SSO.

  2. Select the ellipsis (3 dots) on the Federated SSO page.

  3. Select Delete Configuration.

  4. On the prompt, click Continue to delete the configuration, or Cancel to return to the Manage Federated SSO page without making changes.

Updating the Configuration

When using Federated SSO, any new users to ETO will need to exist in the SSO provider as well. Their emails must match exactly. When adding new users, there is no need to update the configuration file. It will update automatically as new users are added to the SSO provider.

Logging in to ETO with SSO

  1. Your organization provided you with a new ETO URL specific to logging in through SSO.

  2. The page will direct to your SSO providers login

  3. Enter your SSO credentials and you will be logged in to ETO!

Troubleshooting Login Issues

For users who are unable to log in, please pay close attention to the error message received.

If the error message originates from your organization's SSO provider, please work with your Enterprise Manager or IT team to correct the issue.

If the error message originates from ETO (this may appear as a generic error in the top left of an otherwise blank page), please contact ETO Support. It's possible you may still need to work with your Enterprise Manager to resolve these types of issues.

Locked Accounts

If an account is locked inside of ETO, the end-user will see this message. The admin can unlock the account through Manage Site Navigation.

ETO Permissions

All ETO permissions including program access, reporting role, caseload access, etc. is controlled in ETO through Manage User Accounts.

Password Expiration Dates

  • Standard Login - Maximum Password age in days would still apply to the end-user

  • SSO Login - Maximum Password age does not apply, this would be controlled by your Identity Provider (IDP)

Setup ETO SSO with Azure

Create an Azure Enterprise Application

  1. Navigate to the Microsoft Azure portal at portal.azure.com

  2. Open Office 365 Admin Center > Azure Active Directory (Assuming you have the right privileges)

  3. Go to Enterprise Applications

  4. Choose + New application

  5. Choose + Create your own application

  6. Create the name of your application and choose Integrate any other application you don’t find in the gallery (Non-gallery) > Press Create

Configure Azure Enterprise Application

  1. If you're not automatically redirected to the new application after it was created in the previous section: Navigate to your newly create Azure Enterprise Application under Enterprise Applications > All applications > YourAppName.

  2. On the left-hand side under the "Manage" section, choose "Single-sign on", then choose "SAML"

  3. Under the "Basic SAML Configuration" section, click the "Edit" button in the top right.

  4. Under Identifier (Entity ID) choose Add identifier. Fill in the identifier with your ETO tenant’s SSO Pool ID from your ETO Managed Federated SSO page. In the example screenshot provided, the value to be entered would be:

    1. urn:amazon:cognito:sp:us-east-1_aBc1ABCDe

  5. Under Reply URL (Assertion Consumer Service URL) choose Add reply URL. Fill in the reply URL with your SSO POOL DOMAIN NAME from your ETO Managed Federated SSO page. In the example screenshot below, the value would be:

    1. https://ssg-platform-central-auth-example.auth.us-east-1.amazoncognito.com/saml2/idresponse
  6. Click Save.

  7. Scroll down the page to the SAML Signing Certificate section

    1. Click the "Copy to clipboard" button for the "App Federation Metadata URL"

  8. Navigate to your Managed Federated SSO page and click Add SAML

  9. If you have not done so, copy the App Federation Metadata URL as per step 7

Adding SSO Users

  1. Navigate to Users and groups inside the Enterprise Application.

  2. Choose + Add user/group

  3. Choose specific users or provisioned groups to allow users you want to have SSO Capabilities with ETO > Click Assign.

SSO Completed

You will now be presented a LOGIN APP URL in which you can use directly or setup a page redirect with a shorter page/domain name to login to ETO via Azure SSO. You can add this URL to your Azure SSO configuration in the field titled "Sign on URL".

Did this answer your question?