Single Sign On (SSO)

Single Sign On (SSO) is the most popular method for Serraview's larger Clients. It allows a user to log in once to their network and thereby gain access to several network connected programs, eliminating the need to sign into each system individually.

Serraview supports single sign-on(SSO) logins through SAML 2.0 and a SAML 2.0 identity provider can take many forms, such as Active Directory Federation Services (ADFS) server or Okta.

SAML 2.0

Security Assertion Markup Language (SAML) is an XML based open standard data format used to authenticate and authorize data between Identity Providers (IDP) and Service Providers (SP).

Serraview utilizes the SAML 2.0 standard as defined by the OASIS Technical Security Committee via a third-party library called Component Space.

The SAML standard defines the following roles and facilitates communication between them to create the Single Sign On process:

User is the person logging into Serraview
Identity Provider (IDP) is the business
Service Provider (SP) is Serraview

The SAML 2.0 Single Sign On process can be either IPD initiated or SP initiated.

When the process is IDP initiated, then the user is taken to the IDP web login.

When the process is SP initiated, the following exchange of data takes place:

User browses to the Service Provider’s URL (https://[client_instance].serraview.com).
Then the user clicks the SSO button (if force SSO is set up then the user is automatically logged into the Serraview product).
The Service Provider communicates with the Identity Provider to authenticate the user’s credentials.
When access is granted by the Identity Provider, the user is automatically logged into the Serraview product.

Where access is not granted by the Identity Provider, e.g. due to timeout, the user will either:

receive a notification from the Identity Provider and will be unable to access the Serraview application.
receive a notification from the Identity Provider and be requested to verify their login details.

Work with your SAML 2.0 Identity Provider

The Corporate Real Estate team will need to check with your IT department to find out whether or not your business has SSO already set up for other applications.

Either your IT department will use the existing Identity Provider, or they will need to choose a vendor to engage with and then work with the Identity Provider to gather information.

SSO User Experience

When set up the user will experience either:

IDP initiated – IDP web login
SP initiated Option 1 – Sign in with SSO
SP initiated Option 2 –Automatic sign in with Force SSO

IDP initiated – IDP web login

The user is taken to the IDP web login, the user logs in and then they are re-direct to the Serraview product. The Serraview sign in screen does not display.

Option 1 – Sign In with SSO

When the user navigates to the Serraview URL, they will see an extra button on the login page to ‘Sign in with SSO’. Note you can configure the name of this button in the Serraview Configuration (in the SSO Name field).

When the user clicks the Sign In with SSO, they are automatically authenticated via your Identity Provider and redirected to the appropriate Serraview page they were trying to log into (assuming the authentication was successful).

Option 2 – Automatic Sign in with Force SSO

This option involves you to configure Serraview to 'Force SSO'.

When the user browses to the login page e.g. https://[client_instance].serraview.com/ of Serraview and Force SSO is set then the user will experience the following:

the user will be automatically be directed to the SAML Login and then Serraview opens a moment later (if authenticated successfully).
they do not see any login screen nor the option to login via username and password.

Failed authentication can be caused by multiple reason, normally it only affects the current user, unless the connection between Service Provider and Identity Provider is broken and then all the users will be impacted.

Configuration

The following topics cover: