Availability
Overview
Single sign-on options is a tab on the Account settings screen. Birdview supports Microsoft Azure's Single Sign-On (SSO) using Azure Active Directory (AD). With this feature, you can log in to Birdview via the authentication endpoint in Azure ID. To learn more about SSO and Azure AD, click here.
Warning
To have access to the Account settings, a user must have the "Manage system settings" permission enabled in their access level.
Warning
The option is used only when trying to access Birdview pages other than the login page directly, e.g. a link, bookmark, etc. If you try to access Birdview via the login page, you will need to go through the standard login procedure, i.e. enter your Birdview login and password.
Single sign-on protocol flow
- Precondition 1: A user exists in Birdview with the same email as a user registered in the Azure Active Directory. On how to use the option of auto-propagating Birdview users at their first login to Birdview, see below.
- Precondition 2: Single sign-on is enabled in Birdview. See below on how to enable SSO in Birdview.
- The user tries to access a Birdview page, e.g. Time logs.
- The user is automatically redirected to the Azure Active Directory authentication endpoint.
- After successful sign-in, the user is redirected to Birdview and taken directly to the required page.
Enabling SSO
To enable single sign-on in Birdview:
- Go to Company settings > Account settings > Single sign-on options tab.
- Click Enable single sign-on.
- Click Apply at the bottom of the page.
SSO types
Two SSO services are supported:
- Azure AD, and
- SAML
The Azure AD login is handled by cookies, so you simply log in to one Azure AD site, in your network, and you will be auto-logged in to all the other registered sites.
For SAML you will need either a URL to the metadata or provide the metadata as an upload or paste the info.
To get the URL you will follow steps similar to the steps, below
- Open the ADFS Management on the ADFS server.
- Go to Relying Party Trusts and select the target partner.
- Click Properties...
- Click the Identifiers tab and copy the Relying party identifier.
-
Using a browser, log in to the web interface of the ADFS server that is provided by Internet Information Services (IIS).
For example, go to the following URL: https://<host>:<port>/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=<partnerUrl>, where <partnerUrl> is the value of the Relying party identifier that you copied in the previous step.
Alternatively, you can export the metadata and upload or paste the info - tell Birdview which mode you want to do this - see this screenshot from the SSO section of the Advanced company settings
Session management
Setting | Description |
---|---|
Require sign-in at the start of each session | This option requires that you sign in at the beginning of each session. |
Use single sign-on as the default authentication method | This sets single sign-on as the default authentication method. |
Customize SSO login button text | This customizes the SSO button you see on the login page. Maximum length is 30 characters. |
User provisioning
If you’d like Birdview to automatically create accounts for anyone who has access via Azure SSO at their first login to Birdview, use the following steps:
- Go to Company settings > Account settings > Single sign-on options tab.
- With the Enable single sign-on selected, select Create users based on SSO automatically.
- Select a default role for the auto-propagated users from the dropdown list.
- Specify the email domain to be used with the SSO-provisioned users.
- Click Apply at the bottom of the page.
Warning
The email domain is used to verify the identity of the user that is received with the security token from Azure AD. Only domains used in the Email domain field are allowed.
As a result, a user with the same name and email as the matching Azure AD user will be created in Birdview.