Single Sign On (SSO) Overview¶
VOSS Automate supports Single Sign-on (SSO) through the SAML v2 standard for SSO. The system acts as a service provider in the SAML authentication architecture and supports service provider initiated (SP-initiated) authentication of users against a SAMLv2 Identity Provider (IdP).
Authentication settings on an IdP server include:
Authentication Scope
User sync Type**
For details, see Configure Single Sign-On for VOSS Automate.
Users accessing VOSS Automate using SSO authentication are required to access the system using a URL that is specific to the IdP setup in VOSS Automate. This ensures that the SAML interaction is with the correct IdP, since VOSS Automate supports multiple IdPs to be set up in the system.
Note
SSO for end-user Self-service is supported when using a shared VOSS web proxy for Admin and Self-service, when using the Admin URL in the SSO setup. Once authenticated in the IdP via that URL, the user is dropped into the end-user Self-service interface (if they are an end user) and access via their role. SSO is not supported when using a dedicated Self-service proxy.
When accessing the URL, the user is presented with the login challenge via the Identity Provider (outside of VOSS) if they do not already have a session active on the IdP. Once authenticated with the IdP, the assertion from the IdP is sent to VOSS Automate from the IdP and the user is given access and presented with the appropriate interface in VOSS Automate (Admin or Self-service). If users already have an authentication session with the IdP, they do not see the IdP login page and will be directed straight to VOSS Automate.
Note
Credential policy features, such as password rules or session length, are all managed by the IdP outside of VOSS Automate.
SSO support is for authentication only and does not apply the user’s permissions within VOSS Automate.
No logout is supported when using SSO. VOSS Automate will not initiate the termination.