Single sign-on (SSO) allows people to log-in to Appraisd using an account they're already using at work - which is great because they don't need to remember a new password.
If your organisation uses an identity provider such as Azure AD, ADFS, Okta or OneLogin, then you can set up SSO with Appraisd. Appraisd can also support any SAML2.0-enabled Identity Provider.
If you use Azure AD, then you can simply connect to Azure using our Azure Marketplace App.
If you're using an alternative provider, then you'll need to configure SAML SSO yourself.
How to configure SAML SSO yourself
- Turn on the Single sign-on with SAML setting in the Configuration area
- Refresh the page and you'll now see a SAML single sign-on tab appear in the left hand column. Take note of the various different URLs on this page as you will need them later.
- In your identity provider (e.g. OneLogin) create a new application profile for Appraisd. You may need to refer to their instructions for this. When setting up the application you will need to input some of the URLs that you saw in the Appraisd configuration page.
- While you're creating the application in your identity provider, you'll be given some details you need to input into Appraisd. These include: X509 certificate in Base64 format, Identity Provider Single Sign-On URL and Identity Provider Issuer URL.
- Once you've set up the application in your identity provider and copied the certificate and other URLs into the Appraisd configuration area, you need to email email@example.com and ask them to whitelist your SSO provider.
By default, Appraisd will allow SSO and your existing password-login access simultaneously, so whilst your SSO provider is being whitelisted you can still get in to Appraisd.
- You will be informed once your SSO provider has been whitelisted. To test it, log out of Appraisd and then try clicking on the Appraisd application button in your identity provider. You should be logged in to Appraisd immediately.
- Once you've got SSO working, you can use the configuration area in Appraisd to allow access exclusively via SSO and switch off password access - this will make the system more secure.
Here are things to check if SSO is not working:
- If you find some users cannot log in using SSO but some can, then it's unlikely to be a problem with Appraisd or the way you've configured your connection with Appraisd. Instead, ask them to try a different browser, and check that they have been configured in your identity provider with the same privileges to access the application profile as you.
- Make sure the NameID being passed to Appraisd is set to be the user's email address
- Ensure the email address in the identity provider matches the email in Appraisd exactly
- Ensure you've selected AES256-bit encryption in your identity provider application