Single Sign On (SSO) allows your team to log into the Ravelin dashboard more securely and easily, using your enterprise account in place of a username & password combination.
Setting up SSO
If SSO is not yet set up for your team, Admin users will see the following message in the SSO tab of your settings area:
To set up SSO for your team, please contact Ravelin with the following information:
- The name of your identity provider
- The email domain(s) that your users have
- Your preference of OAuth or SAML for the SSO connection (your IT team can help with this one if you're unsure)
If you're setting up an OAuth connection, the above information should be all we need. If you're setting up a SAML connection, further details will need to be exchanged.
You'll need the following configuration from our side to get started:
From your side we'll need the following:
- Identity Provider Issuer (often referred to as the Entity ID or simply "Issuer")
- Identity Provider Single Sign-On URL (often referred to as the "SSO URL" or "SAML Endpoint.")
- x.509 Certificate
The Mandatory SSO setting enables Admins to enforce SSO as the only permitted authentication method for all non-admins with a supported domain.
We recommend enabling Mandatory SSO once you're happy that your users are able to log in with SSO without any issues.
Once Mandatory SSO is enabled, only two types of users are still able to log in with username and password:
- Admin users: In the rare case of SSO downtime, Admins should log in with username and password to disable Mandatory SSO
- Non Supported domain users: These are users that have a different email domain but still need access to your Ravelin account (such as external consultants). As your Identity provider cannot verify them, they will still be able to log in with username and password.
Note: We strongly recommend that Admin users and non supported domain users have 2fa enabled.
User Invite Preferences
This setting will allow Admins to decide if they would like new user invites for users with supported domains to advise them to set a username and password, or to sign in with SSO.
Note that once Mandatory SSO is enabled, SSO user invites is automatically enabled and cannot be disabled as all users with a supported domain will receive SSO user invites going forward from that point. The following message will instead show:
The supported domains should contain a list of your supported domains, provided to Ravelin in the initial setup phase. If this list is incomplete, or changes over time, please contact us to let us know.
SSO will only work for users with a supported domain, so it's important that all of your users domains are included in this list.
Logging in with SSO
To log in with SSO, users should select the "Sign in with SSO" option at the main login page:
On the next page, enter your email address and click Sign in. From there, users will be redirected to your identity provider login page, and once authenticated will be logged in.
From that point onwards, if using the same browser with cookies enabled, users will see a one-click login option the next time they're logged out:
Frequently Asked Questions
Do you support IdP initiated SSO?
Due to some noted security concerns with IdP initiated SSO, this is not something we currently support. If an IdP initiated SSO connection is attempted, we will redirect them to the primary Ravelin SSO login page, where they can quickly login.
Do you support JIT provisioning?
Currently this is not something we support, new users still need to be invited from Ravelin once SSO is enabled before they are able to login. If JIT provisioning is something you're interested in for the future, please let us know.
Which Identity Providers do you support?
We should be able to support any common OAuth or SAML 2.0 provider, and have working connections with Google/Gsuite, Okta, Microsoft Azure, Amazon AWS , Ping Federate and OneLogin.
How does 2FA work with SSO?
When users log into Ravelin with SSO, we do not prompt them for additional 2FA authentication, as we assume sufficient security checks will have been passed to authenticate with an enterprise account.
Note that Admins and users with non supported domains should still have 2FA enabled, as they will still be able to log in with username and password even once Mandatory SSO is enabled.
Some of our users have different email domains in Ravelin - is this a problem?
Occasionally you may have cases where some of your users have old email domains, or have signed up to Ravelin with an alias domain. These users will be unable to sign in with SSO, as the email address authenticated by your Identity Provider will not exactly match the email address in the Ravelin system. To fix this, we recommend either deleting and re-inviting such users, or contacting Ravelin to request an email address update for the users.
Which SAML attributes do I need to send to Ravelin?
The only attribute needed is the users email, as this is the key Ravelin uses to match against the users in the Ravelin system.