Enabling and Providing Single Sign-On [SSO]

Modified on Mon, 12 Aug at 4:01 PM

Our Single Sign-On (SSO) utility gives users the ability to log in to DivvyHQ through their company's SSO portal. Once SSO has been enabled on an account, and users have been authenticated, they can bypass DivvyHQ's login page altogether.


Features described in this article are not included in all subscription plans. 
Interested in expanding your feature set? Please reach out to success[at]lytho[dot]com. Have a question about your current subscription? Contact our Support Team for further assistance.


TABLE OF CONTENTS



The Divvy Details

Below is a step-by-step walkthrough on how to enable SSO on an account and give team members SSO authentication permissions. For those using ADFS, please note the additional steps under the section below, entitled Utilizing SSO Via ADFS.


If you are using Okta for your SSO needs, please refer to this article.

If you are using Azure for SSO, please refer to this article.


Enabling SSO

1. As a Global Admin, click your name in the upper right hand of the platform and select the Account Admin option from the dropdown.




2. From the Account Admin, click the Integrations tab, then the Single Sign On tab.

3. Click the checkbox Enable Single Sign On.




4. After clicking the checkbox you will be presented with a few required fields that need to be filled in to start the authentication process.




5. Input your XML metadata URL or upload your metadata file into the provided field. This URL or file would come from your SSO provider.

6. Input your X.509 Certificate into the provided field. This value would come from your SSO provider.

7. OPTIONAL: Input your IdP login URL

8. Provide our DivvyHQ Metadata URL and DivvyHQ Assertion Consumption Service URL, as well as the following attribute mappings, to your IT department.


Note: The name format for these attribute mappings should be unspecified.



Attribute name             Value

mail            Email address of the user
givenName       Users first name
sn              Users last name


DivvyHQ Metadata URL

https://app.divvyhq.com/saml2/metadata/

DivvyHQ Assertion Consumption Service URL

https://app.divvyhq.com/saml2/acs/


9. After you've filled in all required fields, click Save Settings in the upper righthand.


Step 2a: Giving an Existing Team Member SSO Authentication Permissions

After you've enabled SSO via the Integration Admin, you need to specify which existing users will be utilizing SSO to log in to DivvyHQ.


1. Venture back to the Account Admin interface and select the Team Members tab.




2. Hover over the team member's name that needs to Authenticate through SSO, then click the blue View/Edit User link.




3. This will bring up the Edit Team Member overlay. Check the Authenticate through SSO box and then click the green Apply Changes button.




Step 2b: Giving a New Team Member SSO Authentication Permissions

When adding new team members, you can give them the ability to authenticate through SSO. Follow the steps below:


1. Click the + ADD NEW option in the upper righthand of the platform, then click TEAM MEMBER within the dropdown.

2. This will bring up the Add Team Member overlay. Fill out the required fields (First name, Last Name, Email address) and check the Authenticate through SSO box.




Important Note 1: When you add a new team member with SSO authenticated, the team member will not receive a DivvyHQ invitation email. You might want to alert them that they have been added to your DivvyHQ account and show them how to get to DivvyHQ via your SSO portal.
Important Note 2: Once you give a user Authenticate through SSO permissions, they will no longer be able to login via the DivvyHQ Login Page. If you ever disable SSO via the Integration Admin or by downgrading your plan level to Pro or Starter, read this FAQ to learn how to gain access via the traditional login method.
Important Note 3: If you are the original Global Admin on an account you will not be able to give yourself SSO authentication permissions. This provides an account with a login fail-safe for the original Global Admin, in case there is ever an issue with SSO authentication.


Utilizing SSO Via ADFS

If you are implementing SSO via ADFS there are a few more steps involved to get the NameID to send appropriately.


As mentioned above, please make sure you're sending over the outgoing claim types as mail, givenName and sn.




Step 1: Add A Additional Rule - Send Claims Using a Custom Rule





Step 1b: Code Results of Custom Rule




Custom Rule Code

c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

 && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]

 => add(store = "_OpaqueIdStore", types = ("http://mycompany/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);



Step 2: Add Additional Rules - Transform an Incoming Claim



Step 2b: Edit Rule Details




Step 3: Click Ok

After clicking ok, your settings should be configured correctly. You can now make requests on behalf of users and log them into Divvy seamlessly!

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article