Single Sign-on Setup

Introduction to Single Sign-On (SSO)

With Single Sign-On (SSO) a user can log into multiple apps with just one set of credentials. The user does not need to remember multiple passwords. Using SSO is not only more user friendly, but also more secure than using multiple passwords.

The best-known on-premises SSO solution is Microsoft Active Directory Federation Services (ADFS) which is part of Microsoft Windows Server. Various third parties provide SSO cloud solutions, such as Microsoft Entra ID, Google Workspace, and Okta. These cloud solutions often provide other functionalities in addition to SSO.

Pros and cons of per-app access

It is in principle safer to use a very strong password for each application, since this would appear to limit the scope of breaches. This method, however, has several disadvantages:

  • Password management for each application involves additional administrative burden. Users often forget their passwords, and the more passwords a user must maintain, the higher the chance that they are lost.

  • It is difficult for an organization to implement a coherent per-application password policy.

  • It is especially hard to prevent password reuse across applications, which decreases the theoretical advantages offered by having per-app passwords.

  • Monitoring/logging access to individual applications is complex and it’s harder to detect breaches.

Benefits of using SSO

SSO simplifies password management for both administrators and users:

  • A user only needs to remember one password and can always log in to multiple applications.

  • The ability to centrally manage accounts administrative burden with regard to resetting passwords.

  • If a contractor or employee leaves service, all access can be withdrawn at the push of a button.

  • With cloud SSO solutions, it is very easy to provide additional security for accounts with Multi-Factor Authentication (MFA).

  • Cloud SSO solutions often provide an app dashboard. With one click, the user can start every application and is automatically logged in.

  • Most SSO cloud solutions offer good monitoring, so a breach is quickly detected.

Disadvantages of using SSO

The biggest (practical) disadvantage of SSO is that one set of credentials (one login name and password) gives access to multiple applications. If a malicious person or organization has access to these, they have the same level of access as the logged-in user. Thus, multiple apps can be compromised at the same time. In principle, it is also possible that a compromised IdP leaks access credentials, but every Identity Provider (for example, Okta) allocates resources to prevent this far in excess of what most IT departments can.

Identity Providers (IdP)

SSO works based on an Identity Provider (IdP) and a service provider (SP). There is a trust relationship between the IdP and the SP. The SP trusts that the IdP authenticates the user properly and securely. Conversely, the IdP trusts the SP that the authenticated user and not another user is logged in. The IdP is the gatekeeper who authenticates a user with their workplace credentials when a user logs in to Zivver.

The use of SSO in Zivver

If an organization sets up an SSO link with Zivver, the organization takes full responsibility for authenticating its users. Namely, the IdP indicates to Zivver (the SP) that a specific user is logged into Zivver. The organization thereby guarantees that the IdP authenticates the user in a secure manner, if necessary, with multiple factors. Also, it guarantees that a malicious person or organization cannot circumvent this authentication. Zivver does not check the SSO login attempt and does not use its own MFA (multi-factor authentication) if SSO is present. By default, all Zivver accounts are extra protected with MFA, unless the organization disables this security layer by using SSO.

Technical support

Zivver can set up an SSO link with every IdP, as long as the IdP supports SAML 2.0. Currently Zivver supports these IdPs "out of the box":

Okta

Contact Zivver at enterprise@zivver.com if your organization wants to set up an SSO link with an IdP for which a manual is not yet available.

External access

Not all IdPs can be accessed externally, that is, from outside the company network. An IdP in the cloud can of course be accessed regardless of location. To use Zivver, it is important that the IdP can be accessed externally. Users can log in anywhere (at home or on the road) in the Zivver WebApp, the Zivver Mobile App (for Android/iOS) and the Zivver Outlook Web Access Add-in.

Note
If the IdP cannot be accessed externally, users can log in to Zivver only internally. This is because password login is not allowed for user accounts while SSO is active. Administrator accounts are allowed to log in externally with a password.

SSO without Synctool

If you use Single Sign-On (SSO) without the Zivver Synctool to automatically create accounts, you will by default create normal Zivver accounts with a temporary password. The user enters this temporary password when logging into Zivver for the first time and can subsequently login with the SSO login credentials. This method has the disadvantage that you need to share the temporary password with the user, otherwise the user cannot log in the first time.

It is possible to disable the step with a temporary password so that your users can log into Zivver with SSO without entering a temporary password at the first login. A Zivver support agent can enable this functionality for you. As a Zivver administrator, you no longer need to share the temporary password with the user.

Note
It is important that users log in quickly, for example within 4 weeks after creating the Zivver account. If users don’t log in promptly after creating the Zivver account, Zivver recommends deleting the created accounts.

Create user accounts with SSO login

The Just-in-time Provisioning solution automates the creation of user accounts in Zivver when users log in using Single Sign-On. This cloud-based solution can eliminate the need for manual account creation in the Webapp or setting up the Synctool for pre-synchronizing accounts from source systems. Read more in the article on Just-in-time Provisioning for User Accounts.