User Roles | Admin | ✗Staff contributor | ✗External Contributor | ✗Pulse user |
This article explains Single Sign-On (SSO), which simplifies logging into multiple platforms with one set of credentials. It covers the benefits for users and firms, details on how to set up SSO, and how to enforce SSO for all users to improve security and access management.
Table of contents
- What is SSO and how can it help you as a user?
- What are the advantages of SSO?
- How do I get this set up for my firm?
- How does SSO work once it's set up?
- Enforce SSO for all users
What is SSO?
SSO is used to simplify the login between multiple platforms. This means that a user should only sign in once using certain credentials, and they log in to other applications as well with these credentials.
What are the advantages of SSO?
- For the users, the main advantage is that they do not have to create and remember a separate password for Silverfin, and will most of the time be able to sign in with a simple click.
- For the admin users, the main benefit of SSO is the ability to manage user access outside of Silverfin. For instance when an employee leaves the firm and their user is deactivated in the firm’s user system access to all other SSO-integrated tools is immediately revoked, with no need for manual changes in other systems.
Setting up Silverfin with SSO means authentication to the Silverfin application will be handled outside of Silverfin. This gives the firm’s IT department control to set custom password rules (renewal, complexity, location), enable multi-factor authentication or setup any other authentication specific setting.
How do I get this set up for my firm?
Get your IT department to connect with the Silverfin SSO experts to get this set up. Please read the document attached at the bottom of the article to find out more.
We can set up:
- Azure AD
- Azure B2C
- Open ID connect
Just get in touch with your CSM with your requirements and we can get you set up!
How does SSO work once it's set up?
- You can continue to add new users as us usual. Existing Silverfin users will immediately be able to sign in with SSO, if their email address matches between Silverfin and the SSO platform. Administrators can require certain users to only sign in with SSO. If an SSO was selected when the user was created, the user is required to sign in to Silverfin with SSO, and can not sign in with their Silverfin username and password. In the user creation and user details screen, firm admins can see and specify if a user is required to use SSO or not.
- In the User SSO settings section, you will find a checkbox to 'Require user to sign in with SSO'. For firms with more than one SSO enabled, you can select a default SSO for the user. In this case they can still sign in with the alternative SSO, if their user email matches in both SSOs. The selected SSO will also define which Welcome email will be sent to the user.
- Users that should be allowed to sign in with username and password must have the 'Require user to sign in with SSO' unchecked. They will still be allowed to sign in with SSO if their user exists in the SSO of the firm.
To log in with SSO, the user has to access Silverfin through a SSO subdomain, that is defined when you set up SSO. The URL will be in the format [subdomain].getsilverfin.com, and the subdomain can be found in the SSO connection section.
Enforce SSO for all users
If you already configured SSO for your firm, you can enable the firm-wide "SSO Enforcement" feature. This will require that all users or all staff must sign in through SSO. The options for SSO Enforcement are:
- Enforced for all users
All users must sign in via SSO regardless of their user sso configuration - Enforced for staff users
All staff users must sign in via SSO regardless of their user sso configuration - Not enforced
All users sign in according to their user sso configuration
Please be aware that when SSO Enforcement is enabled, users are forced to sign in with SSO. When a user doesn’t have an SSO Account, they will not be able to sign in to their account. You’ll find the option in the SSO connections section under User configuration.
If a user tries to log in with their username and password after enabling “Enforce SSO access”, they will see a screen similar to this one, guiding them to the correct way to log in: