Skip to main content
All CollectionsHelp ArticlesAccess and PermissionsLogging In
Apricot Federated Single Sign On (SSO)
Apricot Federated Single Sign On (SSO)

Federated SSO provides a way for Admins to configure the login process for Apricot users to log in to Apricot using their Identity Provider.

Updated over a week ago

What is SSO?

Federated Single Sign-On (SSO) is a feature that allows Apricot users to log in using their existing credentials from an external Identity Provider (IDP) like Azure or G Suite. This simplifies access to Apricot by integrating its login mechanism with broader organizational authentication systems.

This feature is available for all Apricot 360 users in the United States, Canada, and Australia. Please reach out to Support to gain access to Federated SSO.

Benefits of SSO

  • Enhanced Security: Secure login through your organization's existing authentication system

  • Simplified Login: Users log in faster and more conveniently using their existing IDP credentials

  • Fewer Passwords: Reduces the number of passwords users need to remember and manage

  • Compliance: Meets contractual and compliance requirements

Feature Limitations

  • Federated SSO itself is not a two-factor authentication system, but it can work with an IDP that supports multi-factor authentication (MFA). MFA for SSO users must be done through an IDP, as MFA through Apricot is not supported.

  • Custom subdomains are not supported.

  • Only supports SAML 2.0 protocol.

  • Each environment (ex. Sandbox and live database) will have a separate SSO configuration and login URL.

  • Only Administrators can access the "Manage Federated SSO" page.

  • Advanced Access Control user settings in Apricot do not apply to the Manage Federated SSO page.

How to Use Federated SSO as a User

  1. Get Your Login URL: Your Administrator will send you a unique login URL.

  2. Log In: Click the URL to be redirected to your Identity Provider's (IDP) login page. Enter your usual IDP credentials.

  3. Access Apricot: After successful authentication, you will be redirected to Apricot and logged in.

Configuring an Identity Provider for SSO

Note: Only Apricot Administrators can configure SSO. After reaching out to Support to have SSO activated for your organization, please follow these steps to add an SSO configuration:

  1. Log in to Apricot.

  2. Click on Administrator on the top menu.

  3. Click on Access Control on the left menu.

  4. Look for “Manage Federated SSO” and click to navigate to the Pool Parameters tab.

  5. This will load the Identity Provider's page with the SSO pool ID and SSO pool domain name. Use this information to generate the metadata .xml file from your IDP.

    1. Setting up SSO with Azure

  6. Click on "Add SAML" at the top right of the page.

  7. Upload the metadata to Apricot by clicking on "Select XML file" or entering the metadata URL in the textbox.

  8. Enter the email attribute for your provider, which can be found in the metadata file or on the IDP setup page.

  9. Click Save.

  10. This will generate a unique login URL which can be copied using the “Copy URL” button and shared with users who need to login through SSO. This URL is your Apricot environment's SSO login.

Managing SSO Configurations

Force SSO Login for All Users

On the Manage Federated SSO page, click the Login Options tab to manage settings for your organization.

The "Force SSO Login for All Users" setting allows administrators to require all of their standard users to login using SSO. Selecting this option will toggle on or off for all standard users; however, administrators may still use the standard login workflow to authenticate their Apricot session.

When the "Force SSO Login" setting is toggled on, standard users in the organization that try to login with the standard Apricot login workflow will receive the following error: "Log In Unsuccessful."

Deleting a configuration

Important: Deleting a configuration removes it permanently. Users will be unable to log in to Apricot via their unique SSO URLs.

  1. Click on the three-ellipses icon next to your configuration and click Delete Configuration.

  2. Click “Continue” to delete the configuration.

FAQs

Is SSO available in my country?

SSO is available in the United States, Canada, and Australia.

Can we have a custom login URL?

At this time, we do not have the option to create a custom Log-in URL.

Can I configure a custom logout URL?

Yes, administrators may configure a custom logout page for when a user logs out of Apricot in Workflow Settings > Apricot Settings.

Will adding a user to my identity provider also add the user to Apricot?

No, an Administrator must add the user and user permissions in Apricot separately.

What if I have two environments to log in to (ex. a Live Database and a Sandbox)?

Each Environment needs its own SSO configuration and login URL. Users will not be able to log in to both environments with the same URL.

What happens if I stay idle for a long time?

The system will log you out after a set period of inactivity configured by your organization. Save your work frequently to ensure you do not lose your work.

Are guest users supported in SSO?

Yes, guest users can use the Single Sign-On feature if they can authenticate through the Identity Provider.

Related Articles
Release Notes | October 7 | Apricot Federated Single Sign On (SSO)
Set Up Apricot SSO within Azure
Release Notes | April 24 | Federated SSO Update
Federated SSO | Select From Multiple User Pools
Release Notes | Week of July 8 | Apricot 8.12.0
Did this answer your question?