Getting Started: SSO - Single Sign-On
This is a guide for customers interested in implementing SSO - SIngle Sign-On for their organization, covering the pre-requisites, technical requirements, and process to implement.
For customers already using SSO, see our Frequently Asked Questions here: FAQ: Single Sign On
What is Single Sign-On? Does Avero offer SSO?
Single Sign-On, also referred to as SSO is a way large organizations can reduce the number of times employees have to log in to various systems by tying the systems back to their email account/basic login information. This makes it much easier on you!
Avero offers SSO for organizations for customers on our Professional Subscription Level only.
If SSO interests your organization, you can discuss your account's eligibility with your Avero Customer Success Manager or Avero Support.
What are the eligibility and technical requirements for SSO?
Eligibility: SSO is only available for select Enterprise and Professional subscription packages. If you are not sure if you qualify, you can ask your Customer Success Manager. Subscription updates may be required to implement SSO.
Technical Requirements:
- You must use an Identity Provider that is SAML 2-compatible, and use email addresses as the key identifier to be eligible.
- You must provide a complete list of managed domains to Avero for configuration. Users cannot access the Avero platform with any email addresses outside your managed domains.
- Please note that the entire organization will be switched over to SSO and all users will have to log in through the SSO flow. Individual locations or businesses cannot be excluded from this flow.
If I meet these requirements, how do I get started?
First, you'll need to gather the following and confirm your eligibility with your Avero Customer Success Manager or Avero Support:
- The name of your identity provider
- The issuer (entity ID)
- The certificate
- A complete list of managed SSO-enabled email domains
- The sign-in URL for login redirection
- A technical contact to manage the process
Once you've confirmed eligibility and gathered your details, Avero will provide your Avero SSO URL to create a SAML application for Avero's use in your Identity Provider.
This will be used to validate the technical details. We will coordinate with your technical contact during the testing phase. Once the testing phase is complete, we will work with your organization to plan a go-live schedule. The go-live schedule will include:
-
Messaging from Avero to users of the upcoming change to SSO
- Informs users of a change to their login flow
- Alerts users to change their emails to a managed domain if applicable
- We request that your organization also message your user base to indicate the upcoming change and your operational expectations
-
A date for go-live
- Once the go-live date is reached all users NOT using a managed domain will be locked out of Avero
- Avero team will provide a list of users on bad domains after go-live. These users will be disabled and require a new user invitation to create an SSO-eligible user.
Can I use SSO at only one location?
No, SSO must be used organization-wide. We do not have an option for different authentication strategies at various locations.