.. _sso-overview:

Single Sign On (SSO) Overview
------------------------------

VOSS Automate supports Single Sign-on (SSO) through the SAML v2 standard for SSO.
The system acts as a service provider in the SAML authentication architecture
and supports service provider initiated (SP-initiated) authentication of users
against a SAMLv2 Identity Provider (IdP). 

Authentication settings on an IdP server include: 

* Authentication Scope
* User sync Type**

For details, see :ref:`sso-sp-settings`.

Users accessing VOSS Automate using SSO authentication are required to access the
system using a URL that is specific to the IdP setup in VOSS Automate.
This ensures that the SAML interaction is with the correct IdP, since VOSS Automate
supports multiple IdPs to be set up in the system.

.. note:: 

   SSO for end-user Self-service is supported when using a shared VOSS 
   web proxy for Admin and Self-service, when using the Admin URL in the 
   SSO setup. Once authenticated in the IdP via that URL, the user 
   is dropped into the end-user Self-service interface (if they are an end user) 
   and access via their role. SSO is not supported when using a dedicated Self-service proxy.

When accessing the URL, the user is presented with the login challenge via
the Identity Provider (outside of VOSS) if they do not already have a session
active on the IdP.  Once authenticated with the IdP, the assertion from the IdP
is sent to VOSS Automate from the IdP and the user is given access and presented
with the appropriate interface in VOSS Automate (Admin or Self-service). 
If users already have an authentication session with the IdP, they do not see the IdP
login page and will be directed straight to VOSS Automate.

.. note::

   * Credential policy features, such as password rules or session length, are all managed
     by the IdP outside of VOSS Automate.
   * SSO support is for authentication only and does not apply the 
     user's permissions within VOSS Automate.
   * No logout is supported when using SSO. VOSS Automate will not initiate the 
     termination.

To read through an example for configuring VOSS Automate and Microsoft Entra for SSO, see the 
following reference document: 

.. raw:: latex
   
   VOSS Automate Technote - Single Sign On (SSO) with Microsoft Entra PDF (available on the VOSS Automate Documentation Portal)
      
.. raw:: html
   
   <p><img alt="PDF" src="../../_images/Adobe_PDF_file_icon_24x24.png" /><a class="reference external" href="https://documentation.voss-solutions.com/release_21.4/html/VOSS-Automate-Technote-Single-Sign-On-SSO.pdf"  target="_blank"> VOSS Automate Technote - Single Sign On (SSO) with Microsoft Entra</a></p>