Single Sign-On (SSO) is an authentication scheme that allows users to log in to several software systems using the same ID. Most importantly, it mitigates security risks by eliminating the need to manage passwords externally and also helps to ease password fatigue caused by excessive number of passwords users have to remember.
Single Sign-On in the Emarsys Platform enables our customer to configure their preferred Identity Provider (IdP) themselves for authentication purposes. It integrates with all Identity Providers supporting the SAML 2.0 protocol, which includes SAP IAS, Microsoft Azure, etc.
How does it work?
As a first step, customers are required to configure their IdP according to the requirements described below.
After the successful configuration of the IdP, the Metadata XML needs to be obtained to get started with the enablement of SSO in the Emarsys Platform.
SSO can be enabled only by Account Owners using the dedicated user interface. Once SSO is enabled, the account users will be required to authenticate via SSO during login.
During the first login attempt with SSO, each user will be prompted to choose from the following options:
- to connect their IdP identity to their existing Emarsys user or
- to create a new Emarsys user
Users choosing the "connect user" option will be prompted to identify themselves using their Emarsys credentials for security reasons.
Users choosing the "create user" option will create a new Emarsys user with minimum privileges which can be modified by account owners.
Configuring the Identity Provider
To have a fully functioning SSO integration with the Emarsys Platform, IdPs should configure an application supporting SAML 2.0 protocol with the following settings.
Entity ID
Specifies the entity identifier of Emarsys from which the IdP will accept authentication requests. Entity ID must be set to suite-sso
.
Assertion Consumer Service URL
Specifies by value the URLs to which the authentication response message must be returned.
Regardless of the date when you started using Emarsys SSO, we recommend adding both URLs to your settings:
- https://sso.gservice.emarsys.net/login/auth/back
- https://sso.gservice.emarsys.net/login/auth/{account-name}
Please note that {account-name}
is a placeholder for the Emarsys account name. Customers may specify as many login URLs as many suite accounts they wish to authenticate by the same IdP SSO application.
Sign-On URL
The Sign-On URL allows you to log in to your account without the need to visit the Emarsys login page.
https://sso.gservice.emarsys.net/login/{account-name}
Please note that {account-name}
is a placeholder for the Emarsys account name.
Assertion Attributes
Creating and configuring the assertion attributes is a mandatory step for successfully configuring SSO.
An assertion is a package of information that specifies statements made by the IdP in the event of successful authentication. Create and configure assertion attributes to contain the following user information:
- “username”: Enter the username of your users. - This has to be unique.
- “first_name”: Enter the first name of your users.
- “last_name”: Enter the last name of your users.
- “email”: Enter the email address of your users.
Attributes may be called differently by your identity provider. However, make sure that you name them as seen in this list.
Supported functionality
Single Sign-On support every identity provider supporting SAML 2.0. These include:
- SAP Identity Authentication Service
- MS Azure
- AWS IAM Identity Center
- Google Workspace
- Okta
- ADFS, etc.
The current instance of SSO should work with any SAML 2.0 compatible IdP, but it was tested only with Microsoft Azure and SAP Identity Authentication Service as of now.
For more information on the exact steps for setting up the SSO in the SAP Identity Authentication Service and on the Emarsys side, see:
Known Limitations
Currently we do not have support for:
- Mixed setups: If a customer sets up SSO login, then all administrators must use this feature.
- Federated logout: The manual logout functionality and the session timeout is still available.
- User deprovisioning: If a user is deleted in the Identity Provider, it will not be automatically deleted from our systems, but the user will not be able to log in.
There are small changes on the user management side:
- Administrators who belong to customers with the "single_signon" feature enabled, are not disabled automatically (e.g., after long inactivity).
- Administrators can be deleted, but they will be recreated after the next login with no permissions.
- The 'administrator creation' functionality has not been disabled, however, administrators created manually in the user management will not be able to log in.
- The "forgot password" functionality has not been disabled and a new password can be set up, however, this has no effect on the SSO login flow.
- Currently, the permissions and roles can be managed only in the Emarsys user management, the SAML2 SSO can be used only for authentication. New users are commissioned with "restricted role".
When SSO is enabled the IP Access Control is ignored. It is possible to log in using SSO from an IP address not permitted by IP Access Control. Filtering IP addresses is the responsibility of the identity provider when using SSO.