Important: This service is only available for purchaser organizations.
SSO is an authentication scheme that enables a user to access multiple applications after signing in just once. This means Keelvar delegates the authentication process to an external provider. This allows users to access the Keelvar platform without needing to enter a separate username and password when logging in. Once SSO integration is complete, users from the organization can only login using SSO and will not be able to login using email and password.
Most organizations use email addresses to uniquely identify users. However, it’s possible to use an internal identifier—typically an IT or corporate ID—since email addresses can change over time. If an email address is not used as the user identifier, Keelvar needs to store the identifier for each user as they are created in the application. It is important to note that once the user has been created, the SSO ID cannot be changed from within the application.
Keelvar’s primary standard for SSO is SAML2, an XML-based protocol designed for exchanging authentication and authorization identities between different security domains. It achieves this by using security tokens called assertions. These assertions pass information about a principal (typically an end-user) between two key entities:
- Identity Provider (IdP): The SAML authority that authenticates the user.
- Service Provider (SP): The SAML consumer (in this case, Keelvar) that relies on the IdP for authentication
- Technical contacts: emails of the technical contacts that will be the point of contact for the Keelvar technical team
- Environments: Does the organization have a test environment where the implementation can be tested before production?
- User identifier: Will email be used as the identifier or an internal ID?
- Email domains: A list of the valid email domains of the organization
Related to