Available starting 10/7/22, Federated Single Sign On provides a new method for Apricot user authentication, allowing users to log in using an Identity Provider (IDP). Example: Azure, G Suite, etc.
This feature is available for all Apricot 360 users. Please reach out to support or your CSM to gain access to it.
General Release Benefits
Improves security for the client organization
Improves user experience by allowing users to login seamlessly into Apricot
Reduces the need for users to remember multiple passwords
Meet contractual and compliance obligations
Limitations
We do not support custom subdomains
Each environment will have a separate log-in URL. For example: if a user has access to a Sandbox Environment, Administrators have to set up a separate SSO, and will have a separate login URL
No lockout for standard users
Multi-factor Authentication (MFA) for SSO users must be done through their IDP provider. MFA through Apricot will not work.
Only supports SAML 2.0 protocol
Administrators are the only users who can access the "manage federated SSO" page
Advanced Access Control in Apricot user settings does not apply to Manage Federated SSO
Apricot Single Sign On for Users
Users can log in using the URL sent by their Administrator. User will click the URL, enter their Identity Provider login details and be redirected to Apricot.
Apricot Single Sign On for Administrators
Only Apricot Administrators can configure SSO
Users wanting to log in to Apricot using SSO must have their Log-in ID as the same email address they use to login to their Single Sign On provider/IDP
Users with an SSO login will still be able to use the standard log in.
How to configure an Identity Provider for SSO
After reaching out to support to have the feature activated for your site, please follow these steps to add another configuration:
Log in to Apricot
Click on Administrator on the top menu
Click on Access Control on the left menu
Look for “Manage Federated SSO” link and click on it
This will load the Federated Identity Providers page with the SSO pool ID and SSO pool domain name
Use this information to generate the metadata .xml file in your identity provider. Example: Azure, G Suite, etc.
Click on “Add SAML” at the top right of the page.
Once you download the metadata URL from the Identity Provider, you can either upload it by clicking on the “Select XML file” button or entering the URL in the metadata textbox.
Enter the email attribute for your provider. The email attribute can be found in the metadata file or on the Identity Provider setup page.
Click on Save
This will generate a unique log-in URL which can be copied using the “Copy URL” button and shared with users who need to login through SSO. This URL is the environment's SSO login.
How to delete a configuration?
Warning: Deleting the configuration will remove the configuration permanently and will not allow your users to log in to Apricot via their unique SSO URLs.
Click on the 3 ellipsis on your configuration and click on delete.
Click on “Continue” to delete the configuration or “Cancel” to cancel the delete task
FAQ
Do standard login users get locked out once SSO is set up?
At this time, we do not lock users out of standard login. They will be able to log in through standard as well as single sign on.
Can we have a custom log in URL?
At this time, we do not have the option to create a custom Log-in URL.
Can I configure a custom log out URL?
Yes, a custom logout URL allows you to configure a log out page when the user logs out of Apricot. It can be set by the administrator in Workflow Settings -> Apricot Settings.
Will adding a user to my identity provider also add the user to Apricot?
No, you will have to have your Apricot Administrator add the user and user permissions.
How would it work if I have 2 environments to log in to? Example: Live Database and Sandbox
Each Environment needs to have their own configuration and Log-in URL. Users will not be able to log in to both environments using a single URL.
What happens if I stay idle for a long time?
Idle time-out works differently from standard login. The system will log you out after a number of minutes set by your organization and you will lose your work. Please ensure you save your work often.
Are guest users supported?
Yes, guest users can use the single sign on feature if they can authenticate through the Identity provider.