Available starting 10/7/22, Federated Single Sign On provides a new method for Apricot user authentication, allowing users to log in using an Identity Provider (IDP). Example: Azure, G Suite, etc.

This feature is available for Apricot 360 users as an add-on feature. Please reach out to your account manager to inquire about costs.

Set up steps for Admins

FAQ

General Release Benefits

  • Improves security for the client organization

  • Improves user experience by allowing users to login seamlessly into Apricot

  • Reduces the need for users to remember multiple passwords

  • Meet contractual and compliance obligations

Limitations

  • We do not support custom subdomains

  • Each environment will have a separate log-in URL. For example: if a user has access to a Sandbox Environment, Administrators have to set up a separate SSO, and will have a separate login URL

  • No lockout for standard users

  • Multi-factor Authentication (MFA) for SSO users must be done through their IDP provider. MFA through Apricot will not work.

  • Only supports SAML 2.0 protocol

  • Administrators are the only users who can access the "manage federated SSO" page

  • Advanced Access Control in Apricot user settings does not apply to Manage Federated SSO


Apricot Single Sign On for Users

Users can log in using the URL sent by their Administrator. User will click the URL, enter their Identity Provider login details and be redirected to Apricot.


Apricot Single Sign On for Administrators

  • Only Apricot Administrators can configure SSO

  • Users wanting to log in to Apricot using SSO must have their Log-in ID as the same email address they use to login to their Single Sign On provider/IDP

  • Users with an SSO login will still be able to use the standard log in.

How to configure an Identity Provider for SSO

Please follow these steps to add another configuration:

  1. Log in to Apricot

  2. Click on Administrator on the top menu

  3. Click on Access Control on the left menu

  4. Look for “Manage Federated SSO” link and click on it

  5. This will load the Federated Identity Providers page with the SSO pool ID and SSO pool domain name

  6. Use this information to generate the metadata .xml file in your identity provider. Example: Azure, G Suite, etc.

    1. Instructions for Azure

  7. Click on “Add SAML” at the top right of the page.

  8. Once you download the metadata URL from the Identity Provider, you can either upload it by clicking on the “Select XML file” button or entering the URL in the metadata textbox.

  9. Enter the email attribute for your provider. The email attribute can be found in the metadata file or on the Identity Provider setup page.

  10. Click on Save

  11. This will generate a unique log-in URL which can be copied using the “Copy URL” button and shared with users who need to login through SSO. This URL is the environment's SSO login.

How to delete a configuration?

Warning: Deleting the configuration will remove the configuration permanently and will not allow your users to log in to Apricot via their unique SSO URLs.

  • Click on the 3 ellipsis on your configuration and click on delete.

  • Click on “Continue” to delete the configuration or “Cancel” to cancel the delete task


FAQ

Do standard login users get locked out once SSO is set up?

At this time, we do not lock users out of standard login. They will be able to log in through standard as well as single sign on.

Will the account be charged by the number of users logging in through SSO or the number of licenses?

The account will be charged by the number of licenses on it regardless of the number of users who log in through Single Sign On. Guest users do not count towards the number of licenses.

Can we have a custom log in URL?

At this time, we do not have the option to create a custom Log-in URL.

Can I configure a custom log out URL?

Yes, a custom logout URL allows you to configure a log out page when the user logs out of Apricot. It can be set by the administrator in Workflow Settings -> Apricot Settings.

Will adding a user to my identity provider also add the user to Apricot?

No, you will have to have your Apricot Administrator add the user and user permissions.

How would it work if I have 2 environments to log in to? Example: Live Database and Sandbox

Each Environment needs to have their own configuration and Log-in URL. Users will not be able to log in to both environments using a single URL.

What happens if I stay idle for a long time?

Idle time-out works differently from standard login. The system will log you out after a number of minutes set by your organization and you will lose your work. Please ensure you save your work often.


Did this answer your question?