All Collections
Help Articles
Access and Permissions
Logging In
Apricot Federated Single Sign On (SSO)
Apricot Federated Single Sign On (SSO)

Federated SSO provides a way for Admins to configure the login process for Apricot users to log in to Apricot using their Identity Provider.

Updated over a week ago

Federated Single Sign On provides a new method for Apricot user authentication, allowing users to log in using an Identity Provider (IDP). Example: Azure, G Suite, etc.

This feature is available for all Apricot 360 users in the United States, Canada, and Australia. Please reach out to Support to gain access to Federated SSO.

Benefits

  • Improves security for the client organization

  • Improves user experience by allowing users to login seamlessly into Apricot

  • Reduces the need for users to remember multiple passwords

  • Meet contractual and compliance obligations

Limitations

  • We do not support custom subdomains

  • Each environment will have a separate log-in URL. For example: if a user has access to a Sandbox Environment, Administrators have to set up a separate SSO, and will have a separate login URL

  • Multi-factor Authentication (MFA) for SSO users must be done through their IDP provider. MFA through Apricot will not work.

  • Only supports SAML 2.0 protocol

  • Administrators are the only users who can access the "Manage Federated SSO" page

  • Advanced Access Control in Apricot user settings does not apply to Manage Federated SSO

Apricot Single Sign On for Users

Users can log in using the URL sent by their Administrator. User will click the URL, enter their Identity Provider login details and be redirected to Apricot.

Apricot Single Sign On for Administrators

  • Only Apricot Administrators can configure SSO

  • Users wanting to log in to Apricot using SSO must have their Log-in ID as the same email address they use to login to their Single Sign On provider/IDP

  • Users with an SSO login will still be able to use the standard log in.

Configuring an Identity Provider for SSO

After reaching out to support to have the feature activated for your site, please follow these steps to add another configuration:

  1. Log in to Apricot

  2. Click on Administrator on the top menu

  3. Click on Access Control on the left menu

  4. Look for “Manage Federated SSO” and click to navigate to the Pool Parameters tab

  5. This will load the Federated Identity Providers page with the SSO pool ID and SSO pool domain name

  6. Use this information to generate the metadata .xml file in your identity provider. Example: Azure, G Suite, etc.

    1. Instructions for setting up SSO with Azure

  7. Click on “Add SAML” at the top right of the page.

  8. Once you download the metadata URL from the Identity Provider, you can either upload it by clicking on the “Select XML file” button or entering the URL in the metadata textbox.

  9. Enter the email attribute for your provider. The email attribute can be found in the metadata file or on the Identity Provider setup page.

  10. Click on Save

  11. This will generate a unique log-in URL which can be copied using the “Copy URL” button and shared with users who need to login through SSO. This URL is the environment's SSO login.

How to delete a configuration?

Warning: Deleting the configuration will remove the configuration permanently and will not allow your users to log in to Apricot via their unique SSO URLs.

  • Click on the 3 ellipsis on your configuration and click on delete.

  • Click on “Continue” to delete the configuration or “Cancel” to cancel the delete task

Login Options

On the Manage Federated SSO page, click the Login Options tab.

Here, you can manage Login Options for your organization. The "Force SSO Login for All Users" setting allows administrators to require all of their standard users to login using SSO. Selecting this option will toggle on or off for all standard users; however, administrators may still use the standard login workflow to authenticate their Apricot session.

When the "Force SSO Login" setting is toggled on, standard users in the organization that try to login with the standard workflow will receive the following error: "Log In Unsuccessful."

FAQs

Is SSO available in my country?

SSO is available in the United States, Canada, and Australia.

Can we have a custom log in URL?

At this time, we do not have the option to create a custom Log-in URL.

Can I configure a custom log out URL?

Yes, a custom logout URL allows you to configure a log out page when the user logs out of Apricot It can be set by the administrator in Workflow Settings -> Apricot Settings.

Will adding a user to my identity provider also add the user to Apricot?

No, you will have to have your Apricot Administrator add the user and user permissions.

How does this work if I have two environments to log in to (ex. a Live Database and a Sandbox)?

Each Environment needs to have their own configuration and Log-in URL. Users will not be able to log in to both environments using a single URL.

What happens if I stay idle for a long time?

Idle time-out works differently from standard login. The system will log you out after a number of minutes set by your organization and you will lose your work. Please ensure you save your work often.

Are guest users supported?

Yes, guest users can use the single sign on feature if they can authenticate through the Identity provider.

Related Articles
Login
Apricot Connect
Release Notes | October 7 | Apricot Federated Single Sign On (SSO)
Set Up Apricot SSO within Azure
Release Notes | April 24 | Federated SSO Update
Did this answer your question?