Cezanne HROther ArticlesSingle Sign-On OverviewSingle Sign-On Options in Cezanne

Single Sign-On Options in Cezanne

This article gives an overview of the available Single Sign-On options within Cezanne HR.

What is Single Sign-On?

Loosely speaking, Single Sign-On (SSO) is a term used to describe a family of technologies that allow users to access a variety of services using a single username and password.

Single Sign-On Configuration Options

Cezanne HR supports SSO through a choice of three well-established, standards-compliant protocols:

  • OAuth2 and OpenID for SSO using third-party online services such as Facebook, Google, Twitter and Windows Live.
  • SAML 2.0 for SSO using enterprise authentication and directory services such as Active Directory and SimpleSAMLphp.

These options can be enabled and disabled independently of each other by logging into Cezanne as an HR Professional and navigating to: System Setup >> Security Settings >> Single Sign-On Configuration.

2. Single Sign-On Configuration Options

Even with these SSO options enabled, users will always be able to login using their Cezanne username and password through the standard Cezanne login screen.

Single Sign-On with OAuth2 and OpenID

The OAuth2 and OpenID SSO options are particularly well suited to organisations that prefer to use third-party user account services (such as Google and Windows Live accounts) for SSO instead of setting up their own federated services.

These options are all self-administering; each company chooses which options are available to their users, but then it’s up to individual users to link their external accounts to Cezanne if they wish to use them.

Regardless of the protocol used, at no point in the process are the passwords for external accounts shared with Cezanne.

How it works

1. The user triggers the SSO process in one of four ways:

  • Choosing the service they wish to use from a set of buttons on your company’s Cezanne login screen (https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/Account/LogIn).
  • Entering an OpenID identifier (typically a URL) that uniquely identifies them into the OpenID box on your company’s Cezanne OpenID login screen (https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/SingleSignOn/OpenID).
  • Opening a bookmark or link (perhaps on your company’s intranet page) that automatically performs one of the two options above.
  • Navigating to Cezanne from an e-mail link, bookmark or the browser address bar (provided that an SSO option has been selected as your company’s default authentication method, see Related Configuration Options).
How it works

2. Cezanne then redirects the user to their chosen service. If the user is not already logged in, the service will prompt them to enter their username and password through the service’s own login page.

3. Assuming that the user has logged in to their chosen service successfully, the service may then ask them for permission to share their identity (but not their password) with Cezanne. Most services will only ask once per application.

4. The service then redirects the user back to Cezanne together with a unique identifier for their account.

5. Cezanne then verifies that the user identifier it’s been given really did originate from the chosen service. Depending on the protocol used, this is either done by establishing a shared secret with the service at the start of the login process, or by contacting the service directly for confirmation afterwards.

6. Cezanne then looks to see whether there is already a Cezanne user account linked to the identifier it’s been given. If a match is found, the user is automatically logged in. Otherwise the user is asked to enter their Cezanne username and password so that the identifier can be linked to the correct account and used to log in automatically next time round.

Setting it up

  1. Log in to Cezanne with an HR Professional user account and navigate to System Setup >> Security Settings >> Single Sign-On Configuration.
  2. Check the boxes next to the SSO services you wish to make available to your users.
  3. If you have chosen to enable SSO using OpenID you can also choose which OpenID services are shown on the login page or create a white list of approved providers by clicking on the Advanced Configuration link.
  4. Users can now log in using SSO by navigating to your company’s dedicated login page (e.g. https://w3.cezanneondemand.com/CezanneOnDemand/-/YourCompanyName) and clicking the button for the SSO service they wish to us.
Single Sign-On with SAML 2.0

Although OAuth2 and OpenID are simple to set up, they depend on direct communication between Cezanne HR and the SSO service to function. This makes them ill-suited to enterprise SSO scenarios where the SSO service is an internal directory service such as Active Directory.

To cater for these scenarios, Cezanne supports the SAML 2.0 protocol which uses digital signatures to eliminate the need for Cezanne to contact the SSO service directly.

Unlike OAuth2 and OpenID, the process of linking Cezanne accounts to the user identifiers returned by SAML 2.0 SSO services is managed centrally by HR Professionals through the User Details screen or a dedicated data import.

How it works

1. The user triggers the SSO process in one of four ways:

  • Clicking the Enterprise sign in button on your company’s Cezanne login screen (https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/Account/LogIn).
  • Selecting Cezanne from a login page hosted by the SSO service (known as identity provider initiated login).
  • Opening a bookmark or link (perhaps on your company’s intranet page) to your company’s SAML login URL in Cezanne (https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/Saml).
  • Navigating to Cezanne from an e-mail link, bookmark or the browser address bar (provided that SAML 2.0 has been selected as your company’s default authentication method, see Related Configuration Options).

2. Cezanne then redirects the user’s browser to the appropriate SAML 2.0 identity provider (an Active Directory, for example) with a SAML request embedded in the request.

3. The identity provider checks that the application name (e.g. Cezanne) in the request matches one of the service providers that it’s been configured to work with and, if so, checks the identity of the user (the mechanism for doing this depends on the provider, but typical methods include prompting for a username and password or automatically picking up Active Directory credentials).

4. The identity provider then redirects the user’s browser back to Cezanne with a digitally signed SAML response (containing details of the users identity and certain restrictions such as an expiry date) embedded in the request.

5. Cezanne reads the embedded response and checks that the response:

  • Is signed correctly (to ensure that it originated from the correct service and hasn’t been tampered with).
  • Hasn’t expired.
  • Hasn’t been submitted before (to prevent ‘replay’ attacks).
  • Indicates that the user was successfully authenticated.
  • Doesn’t contain any other conditions that invalidate it.

6. Finally, assuming that these checks are successful and that the identifier in the response is linked to a Cezanne account, the user is automatically logged in to Cezanne with that account.