What is Single Sign-On (SSO)?
Single sign-on (SSO) is a mechanism for automatically authenticating users when they access applications. When an end user tries to connect to the Ravio application (a Service Provider or SP), Ravio verifies the user’s account with your company’s SSO identity provider (IdP). Once connected, the user remains signed in until they sign out of Ravio or their session expires.
Important note: Ravio supports only SAML or OIDC Single Sign-On protocols, and allows the use of only one protocol at a time.
SSO setup instructions
If you wish to set up Single Sign On on your account please let your Ravio contact know as this has to be enabled before setup can begin.
If you have any questions about the process, you can book a call with a Ravio expert using the link here. Otherwise follow the instructions below!
When you are ready to set up SSO, where you see the option to do this will depend on whether you have been through the onboarding process or not. Open the headings below to find your specific location.
If you are configuring SSO during the onboarding process you will see the “SSO Configuration” towards the bottom of the left hand side menu.
If your company already has access to the Ravio tool and you want to set up Single Sign On, you will find the SSO configuration screen in “Settings” under “Account”.
This opens the SSO configuration screen, where you will be prompted to enter the information in the below toggles.
For SAML Integrations
| Configuration | Definition | Example |
|---|---|---|
| Sign In URL | The URL the SP uses to contact the IdP to request authentication of a user account. | https://samlp.example.com/login |
| X509 Signing Certificate | The URL the SP uses to contact the IdP to request authentication of a user account. | Typically starts with ----BEGIN CERTIFICATE----- |
| Email domain(s) | Your company’s email domain(s). This defines which email addresses will be redirected to your IdP login when they sign in to Ravio. | ravio.com |
For OIDC integrations
| Configuration | Definition | Example |
|---|---|---|
| Issuer URL | The issuer URL uniquely identifies your OIDC server instance. | https://mydomain.com/.well-known/openid-configuration |
| Client ID | The unique ID for the client application. | An identifier |
| Email Domain(s) | Your company’s email domain(s). This defines which email addresses will be redirected to your IdP login when they sign in to Ravio. | ravio.com |
Note: You will also have to provide the ‘Client Secret’ if you require the communication channel to be ‘Back Channel’ (requires response_type = code) instead of ‘Front Channel’ (Uses response_mode=form_post and response_type=id_token). This can’t be shared through the app and should be shared securely with your Ravio contact.
Once this information is entered, make sure to click “Save SSO Configuration”!
Typically these details can be provided by the team that manages the system your organisation uses for SSO. This is typically your general IT team, the Systems Administration team, or the Identity Access Management Team (IdAM).
Ravio will confirm SSO activation and provide the below information via email so the team that manages your organisation’s IdP can complete the SSO configuration.
For SAML integrations
| Configuration | Definition | Example |
|---|---|---|
| Callback URL | The URL where the user is redirected after they authenticate. | https://ravio-auth-production.eu.auth0.com/login/callback?connection=example |
| Entity ID | Globally unique ID that identifies the Ravio application in the SAML protocol. | urn:auth0:ravio-auth-production:example |
You may be prompted to enter this information before you are able to generate a certificate (e.g. if you use Okta). In that case you can take the above URLs, replacing ‘example’ in both with the details with your company name in all lowercase with no spaces. For example, if I am setting this up for the company ‘Ravio Example’ - the Entity ID would be “urn:auth0:ravio-auth-production:ravioexample”.
For OIDC integrations
| Configuration | Definition | Example |
|---|---|---|
| Callback URL | The URL where the user is redirected after they authenticate. | https://ravio-auth-production.eu.auth0.com/login/callback |
Important Note: When configuring the SSO, please ensure that the email attribute is provided in the SAML Assertion. The email address is what Ravio uses to authenticate users, so without this all SSO logins will fail.
Once both the Ravio and IdP configuration has been completed, Ravio will schedule a specific time to test the integration to make sure everything is working before SSO is formally ‘switched on’ for your organisation.
Ravio SSO setup details
Ravio does not currently support:
IdP-initiated login:
- Users who want to log into Ravio through SSO must first visit the Ravio login page before being redirected to the company's IdP provider to sign in. You can add users in Ravio by going to “Invite Colleagues” in the menu on the left hand side:
All users who want to log in through SSO have to still visit app.ravio.com first before being redirected to your organisation’s SSO login screen.
"Just-in-Time" (JIT) or SCIM user provisioning:- Users who need access to Ravio must have an account created for them in Ravio before they can log in. Ravio doesn't automatically create user accounts when someone logs in for the first time.
Troubleshooting
“Once the user signs in through SSO they still cannot access Ravio”
This means that the SSO is not finding any matching users in the Ravio system. Two things should be checked:
- That the company employee has a user in the Ravio system. If this isn’t the case you need to make sure you invite the user.
- If your colleague has a Ravio user, you need to make sure that the email address in Ravio for the user matches exactly the email address they use to log in to your company SSO. Ravio uses this as the matching attribute so if these are different Ravio sees this as not matching any user.
“None of my SSO logins are working”
If the SSO connection is successfully set up but none of your colleagues are able to access Ravio, you need to check the attributes that are being sent as part of the SSO workflow. Ravio requires that the email attribute is added as this is what we use to authenticate the users. Please check the SSO configuration in your IdP to ensure this is added.
For example, the above image shows the configuration for SAML in Okta.
“The login does not work when I click the link directly in my SSO tool”
This is likely because you are attempting to use IdP-initiated login, this is something that Ravio does not support currently.
All users who want to log in through SSO have to still visit app.ravio.com first before being redirected to your organisation’s SSO login screen.
“My colleagues are created as users in Ravio, however they still are blocked from accessing Ravio”
There are some corner cases (especially when using Google Workspace as your SSO provider) where users have been created in Ravio however users are not automatically created in your IdP. To properly authenticate users via SSO they have to be created in both the IdP and the SP.