SSO (Single Sign On) FAQ

What does IdP mean?

IdP is an acronym for "identity provider." Identity providers are services that manage identities. Organizations that use SuccessPro typically have an existing IdP in place to log in one time to access many systems. In most cases, these are hosted in the cloud and work with SSO providers to authenticate users.


What are examples of IdPs that ActiFi can work with?

Microsoft Azure Active Directory
Oracle Identity Management
Okta Identity Management
Zoho Vaul.
OneLogin
LogMeIn Pro
All of these implement SAML SSO protocol exactly the same. SuccessPro can work with any of these and others as long as the protocol is followed.


What is SAML 2.0?

SAML stands for Security Assertion Markup Language. SAML version 2 is the version of the standard for exchanging authentication and authorization identities between security domains. It uses an XML-based protocol.



What are the high-level steps to implement SSO with SuccessPro?

    Client - Complete the SSO Getting Started Questionnaire
    Client - Populate all TSIDs for users in sPro (click here to learn more)
    Client - Automate provision & hierarchy (see here to learn more)
    ActiFi - Submit JIRA request to enable SSO endpoint
    ActiFi - Provide Client xml files from dev & prod which contain location, attributes, & public cert.
    Client - Via email, provide ActiFi system location URL(s), public certs, & attributes to share.
  • Typically this will be xml format that looks similar to ActiFi’s.
    ActiFi - Configure SuccessPro relay state identify & service provider defaults via admin configuration screen.
    Client - (if applicable) If SSO login button on sPro screen will be needed, the client is to provide SP-Initiated IDP Login URL.
    Client/ActiFi - Test the SSO & mutually sign off before completing this process.


How long does this implementation usually take?

ActiFi will typically implement as fast as client-side tech teams. ActiFi development operates in two-week sprints. Assuming the automated provisioning & hierarchy process is already in place, the SSO process can take 2-3 weeks, on average.



Can SSO be implemented without having automated provisioning & hierarchy in place?

Yes, but it's not recommended. Errors can often occur due to missing users, conflicting stale user data in either system, etc. As a result, the SSO will not function properly and the advisor experience may suffer. The number of issues that may arise will be a function of the number of users. For example, 50 home office users require less manual maintenance than 10,000 financial advisors to maintain content groups, etc. Please consult with ActiFi Support if considering SSO setup without automated provisioning & hierarchy.


What are the required data points needed for SSO to work with SuccessPro?

TSID (Tenant Specific Identifier)
URLs (for system locations)
Public Certificates that represent trusted identity of each system.


What attributes are commonly shared in the xml file?

TSID (required), First Name (optional), Last Name (optional), Email (optional)


Is it possible for SSO still work with SuccessPro if only email & name are available?

No. The SSO process requires TSID to be populated and matched between systems. Without that data point, the SSO will not function.


How can I determine what ActiFi's public cert is?

This will be located in the metadata xml file after the request is initiated.


What is Identity Provider-initiated SSO?

The User action begins in the tenant’s system.


What is Service Provider-initiated SSO

User action begins in SuccessPro?


Can one or both options be implemented?

Yes, ActiFi clients have the option to utilize one or both flows depending on requirements.


What does a basic SSO visual flow look like?

SuccessPro may be 1, 2, or 3 in the sample visual below. A user logs in one time to access many applications without being required to log in again and again.


Can the SSO experience be configured to only allow login via SSO and exclude the option to enter a username and password?

Yes. Contact support to configure the following settings in your instance of SuccessPro:
Check the boxes in tenant config next to "Enable tenant config: enableManualSSOLogin" and "ssoSPEnabled." Insert the url in the identity provider SSO in ssoIDPLoginUrl. Next to the config in the Auth Section, deselect the checkbox for "manual login: tenant config."