Single Sign-On Options in Cezanne
This article gives an overview of the available Single Sign-On options within Cezanne HR.
Loosely speaking, Single Sign-On (SSO) is a term used to describe a family of technologies that allow users to access a variety of services using a single username and password.
Cezanne HR supports SSO through a choice of three well-established, standards-compliant protocols:
- OAuth2 and OpenID for SSO using third-party online services such as Facebook, Google, Twitter and Windows Live.
- SAML 2.0 for SSO using enterprise authentication and directory services such as Active Directory and SimpleSAMLphp.
These options can be enabled and disabled independently of each other by logging into Cezanne as an HR Professional and navigating to: System Setup >> Security Settings >> Single Sign-On Configuration.
Even with these SSO options enabled, users will always be able to login using their Cezanne username and password through the standard Cezanne login screen.
The OAuth2 and OpenID SSO options are particularly well suited to organisations that prefer to use third-party user account services (such as Google and Windows Live accounts) for SSO instead of setting up their own federated services.
These options are all self-administering; each company chooses which options are available to their users, but then it’s up to individual users to link their external accounts to Cezanne if they wish to use them.
Regardless of the protocol used, at no point in the process are the passwords for external accounts shared with Cezanne.
How it works
1. The user triggers the SSO process in one of four ways:
- Choosing the service they wish to use from a set of buttons on your company’s Cezanne login screen (https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/Account/LogIn).
- Entering an OpenID identifier (typically a URL) that uniquely identifies them into the OpenID box on your company’s Cezanne OpenID login screen (https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/SingleSignOn/OpenID).
- Opening a bookmark or link (perhaps on your company’s intranet page) that automatically performs one of the two options above.
- Navigating to Cezanne from an e-mail link, bookmark or the browser address bar (provided that an SSO option has been selected as your company’s default authentication method, see Related Configuration Options).
2. Cezanne then redirects the user to their chosen service. If the user is not already logged in, the service will prompt them to enter their username and password through the service’s own login page.
3. Assuming that the user has logged in to their chosen service successfully, the service may then ask them for permission to share their identity (but not their password) with Cezanne. Most services will only ask once per application.
4. The service then redirects the user back to Cezanne together with a unique identifier for their account.
5. Cezanne then verifies that the user identifier it’s been given really did originate from the chosen service. Depending on the protocol used, this is either done by establishing a shared secret with the service at the start of the login process, or by contacting the service directly for confirmation afterwards.
6. Cezanne then looks to see whether there is already a Cezanne user account linked to the identifier it’s been given. If a match is found, the user is automatically logged in. Otherwise the user is asked to enter their Cezanne username and password so that the identifier can be linked to the correct account and used to log in automatically next time round.
Setting it up
- Log in to Cezanne with an HR Professional user account and navigate to System Setup >> Security Settings >> Single Sign-On Configuration.
- Check the boxes next to the SSO services you wish to make available to your users.
- If you have chosen to enable SSO using OpenID you can also choose which OpenID services are shown on the login page or create a white list of approved providers by clicking on the Advanced Configuration link.
- Users can now log in using SSO by navigating to your company’s dedicated login page (e.g. https://w3.cezanneondemand.com/CezanneOnDemand/-/YourCompanyName) and clicking the button for the SSO service they wish to us.
Although OAuth2 and OpenID are simple to set up, they depend on direct communication between Cezanne HR and the SSO service to function. This makes them ill-suited to enterprise SSO scenarios where the SSO service is an internal directory service such as Active Directory.
To cater for these scenarios, Cezanne supports the SAML 2.0 protocol which uses digital signatures to eliminate the need for Cezanne to contact the SSO service directly.
Unlike OAuth2 and OpenID, the process of linking Cezanne accounts to the user identifiers returned by SAML 2.0 SSO services is managed centrally by HR Professionals through the User Details screen or a dedicated data import.
How it works
1. The user triggers the SSO process in one of four ways:
- Clicking the Enterprise sign in button on your company’s Cezanne login screen (https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/Account/LogIn).
- Selecting Cezanne from a login page hosted by the SSO service (known as identity provider initiated login).
- Opening a bookmark or link (perhaps on your company’s intranet page) to your company’s SAML login URL in Cezanne (https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name)/Saml).
- Navigating to Cezanne from an e-mail link, bookmark or the browser address bar (provided that SAML 2.0 has been selected as your company’s default authentication method, see Related Configuration Options).
2. Cezanne then redirects the user’s browser to the appropriate SAML 2.0 identity provider (an Active Directory, for example) with a SAML request embedded in the request.
3. The identity provider checks that the application name (e.g. Cezanne) in the request matches one of the service providers that it’s been configured to work with and, if so, checks the identity of the user (the mechanism for doing this depends on the provider, but typical methods include prompting for a username and password or automatically picking up Active Directory credentials).
4. The identity provider then redirects the user’s browser back to Cezanne with a digitally signed SAML response (containing details of the users identity and certain restrictions such as an expiry date) embedded in the request.
5. Cezanne reads the embedded response and checks that the response:
- Is signed correctly (to ensure that it originated from the correct service and hasn’t been tampered with).
- Hasn’t expired.
- Hasn’t been submitted before (to prevent ‘replay’ attacks).
- Indicates that the user was successfully authenticated.
- Doesn’t contain any other conditions that invalidate it.
6. Finally, assuming that these checks are successful and that the identifier in the response is linked to a Cezanne account, the user is automatically logged in to Cezanne with that account.
Setting it up
Please refer to the following KBAs for guidance on setting up SSO using SAML 2.0:
There are a couple of additional settings on the System Setup >> Company Profile >> Company Information screen that are relevant to companies using SSO.
Custom Logout URL
By default, users are taken back to the Cezanne login screen when they log out. This may not be desirable if your company uses SSO and your users are used to logging in directly from a link on your intranet, for example. To cater for these scenarios the Company Information screen contains a Custom Logout URL option that can be set to a URL of your choice. Once specified, users will be taken to this page instead when they log out.
Default Authentication Method
By default, if a user navigates directly to Cezanne from an e-mail link, bookmark or the browser address bar and they are not already logged in, they are redirected to the Cezanne login screen to enter their username and password. Again, this can be confusing for users who are used to logging in directly through a SSO link on a company intranet page, for example. To avoid this you can choose any SSO option that’s currently enabled as the Default Authentication Method on the Company Information screen. This option will be used whenever a user who is not already signed in attempts to access a page in Cezanne using your company’s primary URL (e.g. https://w3.cezanneondemand.com/CezanneOnDemand/-/(Your-Company-Name).
Cezanne then redirects the user to the chosen identity provider. If the user is not already logged in with that service, the identity provider may then prompt the user to enter their username and password. If the chosen identity provider is being used to log into Cezanne for the first time, it may also ask the user for permission to share their identity with the application.
Once the identity provider has finished checking the user’s identity, they are redirected to Cezanne with a unique identifier for their external account. If this identifier is already linked to a Cezanne user account, the user is automatically logged into the application. Otherwise, the user is prompted to enter their Cezanne username and password so that their external account can be linked to their Cezanne account before they are logged in.
At no point is the password for the external account shared with Cezanne.