Introduction to Single Sign-On (SSO)

With Single Sign-On (SSO), a user can log into multiple apps with just one set of credentials. The user does not need to remember multiple passwords. Using SSO is not only more user-friendly, but also more secure than using multiple passwords.

The best-known On-Premise SSO solution is Microsoft Active Directory Federation Services (ADFS), which is part of Microsoft Windows Server. Various third parties provide SSO cloud solutions, such as Microsoft Entra ID, Google Workspace, and Okta. These cloud solutions often provide additional functionalities beyond SSO.

Pros and cons of per-app access

Using a very strong password for each application is in principle safer, as it limits the potential impact of breaches. However, this method has several disadvantages:

• Password management for each application involves additional administrative burden. Users often forget their passwords, and the more passwords a user must maintain, the higher the chance of loss.
• Implementing a coherent per-application password policy across an organization is difficult.
• Preventing password reuse across applications is especially hard, reducing the theoretical benefits of per-app passwords.
• Monitoring and logging access to individual applications is complex, making breach detection more difficult.

Benefits of using SSO

SSO simplifies password management for both administrators and users:

• A user only needs to remember one password and can always log in to multiple applications.
• Administrators can centrally manage accounts, reducing the administrative burden of resetting passwords.
• When a contractor or employee leaves, all access can be withdrawn with a single action.
• Cloud SSO solutions make it easy to add additional security through Multi-Factor Authentication (MFA).
• Cloud SSO solutions often provide an app dashboard, allowing users to start every application with a single click and be automatically logged in.
• Most SSO cloud solutions offer good monitoring, so breaches are quickly detected.

Disadvantages of using SSO

The main disadvantage of SSO is that one set of credentials (username and password) grants access to multiple applications. If a malicious actor gains access, multiple apps can be compromised simultaneously. Compromised IdPs may also leak credentials, but IdPs like Okta invest heavily in security measures, beyond what most IT departments can implement.

Identity Providers (IdP)

SSO relies on an Identity Provider (IdP) and a service provider (SP). There is a trust relationship between the IdP and the SP. The SP trusts that the IdP authenticates users securely, while the IdP trusts the SP to accept the authenticated user. The IdP authenticates users with their workplace credentials when logging in to Zivver.

The use of SSO in Zivver

When an organization sets up SSO with Zivver, it takes full responsibility for authenticating its users. The IdP informs Zivver (the SP) that a specific user is authenticated. The organization ensures that the IdP authenticates users securely, including multiple factors if required. Zivver does not enforce additional MFA if SSO is active. By default, all Zivver accounts are protected with MFA unless the organization disables this via SSO.

Technical support

Zivver supports SSO links with any IdP that supports SAML 2.0. Currently, Zivver supports these IdPs out of the box:

Google Workspace

Microsoft ADFS

Microsoft Entra ID

Okta

VMWare

OneLogin

HelloID

Contact Zivver at enterprise@zivver.com if your organization wants to set up an SSO link with an unsupported IdP.

External access

Some IdPs cannot be accessed externally, from outside the company network. Cloud-based IdPs can be accessed from anywhere. To use Zivver, the IdP must be externally accessible. Users can log in via the Zivver WebApp, the Zivver Mobile App (Android/iOS), and the Zivver Outlook Web Access Add-in.

Note

If the IdP cannot be accessed externally, users can only log in to Zivver internally. Administrator accounts can still log in externally with a password.

SSO without automated account management

Using SSO without the Zivver Synctool or Zivver Cloud Sync creates normal Zivver accounts with temporary passwords. Users enter this password at first login and can subsequently log in with SSO credentials. The disadvantage is that the temporary password must be shared with the user.

Zivver support can disable this temporary password step, allowing users to log in with SSO immediately. Administrators no longer need to share a temporary password.

Note

Users should log in within 4 weeks after account creation. If users do not log in promptly, Zivver recommends deleting these accounts.

Create user accounts with SSO login

Just-in-time Provisioning automates user account creation in Zivver when users log in via SSO. This eliminates manual account creation in the WebApp or pre-synchronization using Zivver Synctool or Cloud Sync. Read more in Just-in-time Provisioning for User Accounts.

Delete Single sign-on

1. Log in at the Zivver WebApp.
2. Click Organization Settings.
3. Expand User administration.
4. Click Single Sign-on.
5. Scroll to the Clear Single sign-on settings card.
6. Click Clear Single sign-on settings.
7. Remove the SSO application for Zivver from your IdP. Steps vary by IdP.