What is Single Sign On (SSO)?
SSO allows you to have a centrally-managed single username and password for connecting to multiple web applications.
What are the benefits of SSO?
- Reduces password fatigue from having to remember different username and password combinations. The more unique usernames and passwords a user must memorize, the higher the chance they will choose an easy-to-guess password or store their password in an unsecured place, where it is at risk of being stolen.
- Reduces IT costs due to lower number of IT help desk calls about passwords, e.g. password resets.
- Reduces IT costs by centralising user access management. For example, when a user is deactivated in the enterprise, access to Panviva application is simultaneously deactivated.
- Improves security as the user’s credentials are provided directly to the central SSO service, not the actual application that the user is trying to access, and therefore the credentials cannot be cached by the application. The central authentication point – the SSO service – limits the possibility of a fraud.
- A Panviva customer has complete control of user details, including passwords, and can enforce their password policy.
Based on these benefits, we strongly recommend all our clients to take advantage of the Panviva SSO capabilities.
How does SSO work?
The user’s identity and password are stored in a single place (e.g. Azure Active Directory, OneLogin, Okta, etc) controlled by your organization known as Identity Provider (IdP). When a user accesses Panviva, your IdP authenticates the user and then the SSO service securely and seamlessly provides their identity details to Panviva (see the diagram below for more detail):
Panviva SSO model
The Panviva Service Provider initiated SSO service is based on the Security Assertion Markup Language (SAML) v2.0 specification. SAML is an XML standard that allows secure web domains to exchange user authentication and authorization data. Panviva uses Okta, as our online identity provider, to authenticate users who want to access Panviva content. In turn, Okta should be able to integrate with all existing open source and commercial identity provider solutions, so whatever IdP you utilise, we are confident of being able to support you.
Panviva’s Service Provider initiated SSO service provides customers with full control over the authorization and authentication of hosted user accounts that can access Panviva application. Using the SAML model, Panviva acts as the service provider and customers are the identity providers that control usernames, passwords and other information used to identify, authenticate and authorise Panviva users.
Note: Panviva supports Service Provider initiated SSO via SAML v2.0 only, but not Identity Provider initiated SSO.
SSO Setup Requirements
1.Panviva provides the customer with:
- Assertion Consumer Service URL (for example, https://us.login.panviva.io/sso/saml2/<your_unique_number>)
- Audience URI (for example, https://www.okta.com/saml2/service-provider/<your_unique_number>)
- Signing certificate
2.Customer provides Panviva with:
- IdP Issuer URI (Identity Provider’s unique identifier) – this value is usually the SAML metadata EntityID of the IdP EntityDescriptor.
- IdP Single Sign On URL – The binding-specific IdP Authentication Request Protocol endpoint that receives SAML AuthnRequest messages.
- IdP Signature certificate – The PEM or DER encoded public key certificate of the Identity Provider used to verify SAML message and assertion signatures.
3.Panviva takes these details and implements Service Provider initiated SSO.