Single Sign-On Options in Cezanne
This article gives an overview of the available Single Sign-On options within Cezanne HR.
What is Single Sign-On?
Loosely speaking, Single Sign-On (SSO) is a term used to describe a family of technologies that allow users to access a variety of services using a single username and password.
Cezanne HR supports Single Sign-On (SSO) with Google accounts, Microsoft accounts and all standards-compliant SAML 2.0 identity providers.
These options can be enabled and disabled independently of each other by logging into Cezanne as an HR Professional and navigating to: Administration >> Security Settings >> Single Sign-On Configuration.
Even with SSO enabled, users will always be able to login using their Cezanne username and password through the standard Cezanne login screen.
This option can be used to implement SSO with almost any Identity and Access Management (IAM) system that supports the SAML 2.0 SSO protocol, including:
- Active Directory Federation Services (AD FS)
- Google Workspaces (formerly Google G Suite)
- Microsoft Entra ID (formerly Azure Active Directory)
- Okta
- Salesforce
How it works
1. The user triggers the SSO process by either:
- Clicking the Enterprise sign in button on your company’s Cezanne login screen (https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/Account/LogIn).
- Selecting Cezanne from a login page hosted by the SSO service (known as identity provider initiated login).
- Opening a bookmark or link (perhaps on your company’s intranet page) to your company’s SAML SSO URL for your company (https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/Saml).
- Navigating to Cezanne from an e-mail link, bookmark or the browser address bar when SAML 2.0 has been selected as your company’s default authentication method, (see Related Configuration Options).
2. Cezanne redirects the user’s browser to the selected identity provider with an authentication request.
3. The identity provider checks that the Cezanne is one of the service providers that it’s been configured to work with and, if so, checks the identity of the user (the mechanism for doing this depends on the provider, but typical methods include prompting for a username and password or automatically picking up Windows credentials).
4. The identity provider redirects the user’s browser back to Cezanne with a digitally signed SAML response containing details of the user’s identity and other authentication data embedded in the request.
5. Cezanne reads the embedded response and checks that the response:
- is signed correctly (to ensure that it originated from the correct service and hasn’t been tampered with),
- hasn’t expired,
- hasn’t been submitted before (to prevent ‘replay’ attacks),
- indicates that the user was successfully authenticated,
- and doesn’t contain any other conditions that invalidate it.
6. Assuming the checks are successful and that the identifier in the response is linked to a Cezanne account, the user is automatically logged in to Cezanne with that account.
Setting it up
Please refer to the following KBAs for guidance on setting up SSO using SAML 2.0:
The Google and Microsoft SSO options can be used to enable SSO with personal Google and Microsoft accounts. This can be useful for small organisations that do not have IAM system or who would like to enable SSO for external users.
Unlike SAML 2.0 (where user mappings are managed centrally by HR professionals), the Google and Microsoft SSO options are self-administering. Once an HR professional has enabled these options for their company, it’s up to individual users to link their personal accounts to Cezanne if they wish to use them.
How it works
Both of these SSO options are implemented using the OAuth2 authorisation code flow.
- The user triggers the SSO process by either:
- clicking the Log in with Google or Log in with Microsoft button your company’s Cezanne login screen (https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/Account/LogIn),
- opening a bookmark or link (perhaps on your company’s intranet page) that automatically initiates SSO:
- https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/SingleSignOn/Google to log in with Google
- https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/SingleSignOn/Microsoft to log in with Microsoft
- or navigating to Cezanne from an e-mail link, bookmark or the browser address bar when either Google or Microsoft has been selected as your company’s default authentication method (see Related Configuration Options).
- Cezanne redirects the user to the chosen authorisation service. If the user is not already logged in, the service will prompt them to enter their username and password through the authorisation service’s own login page.
- Assuming that the user has logged in to their Google or Microsoft account successfully, the authorisation service may then ask them for permission to share their identity (but not their password) with Cezanne.
- The service redirects the user back to Cezanne together with an authentication code that Cezanne uses to retrieve the user’s identity directly from the authorisation service.
- Cezanne looks to see whether there is already a Cezanne user linked to the Google or Microsoft account. If a match is found, the user is automatically logged in. Otherwise the user is asked to enter their Cezanne username and password so that the external account can be linked to the correct Cezanne user and used to log in automatically next time round.
Setting it up
- Log in to Cezanne with an HR Professional user account and navigate to Administration >> Security Settings >> Single Sign-On Configuration.
- Check the boxes next to the SSO services you wish to make available to your users.
- If you have chosen to enable SSO using OpenID you can also choose which OpenID services are shown on the login page or create a white list of approved providers by clicking on the Advanced Configuration link.
- Users can now log in using SSO by navigating to your company’s dedicated login page (e.g. https://w3.cezanneondemand.com/CezanneOnDemand/-/YourCompanyName) and clicking the button for the SSO service they wish to us.
There are a couple of additional settings on the Administration >> Setup & Security >> Company Settings >> Company Information screen that are relevant to companies using SSO.
Custom Logout URL
By default, users are taken back to the Cezanne login screen when they log out. This may not be desirable if your company uses SSO and your users are used to logging in directly from a link on your intranet, for example. To cater for these scenarios the Company Information screen contains a Custom Logout URL option that can be set to a URL of your choice. Once specified, users will be taken to this page instead when they log out.
Default Authentication Method
By default, if a user navigates directly to Cezanne from an e-mail link, bookmark or the browser address bar and they are not already logged in, they are redirected to the Cezanne login screen to enter their username and password. Again, this can be confusing for users who are used to logging in directly through a SSO link on a company intranet page, for example. To avoid this you can choose any SSO option that’s currently enabled as the Default Authentication Method on the Company Information screen. This option will be used whenever a user who is not already signed in attempts to access a page in Cezanne using your company’s primary URL (e.g. https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name).
Cezanne then redirects the user to the chosen identity provider. If the user is not already logged in with that service, the identity provider may then prompt the user to enter their username and password. If the chosen identity provider is being used to log into Cezanne for the first time, it may also ask the user for permission to share their identity with the application.
Once the identity provider has finished checking the user’s identity, they are redirected to Cezanne with a unique identifier for their external account. If this identifier is already linked to a Cezanne user account, the user is automatically logged into the application. Otherwise, the user is prompted to enter their Cezanne username and password so that their external account can be linked to their Cezanne account before they are logged in.
At no point is the password for the external account shared with Cezanne.