Single Sign-On (SSO)

Requires the “Single Sign-On (SSO)” permission. See Users.

1 SSO and Existing Local Accounts
2 How to Create a New Single Sign-On (SSO)
3 How to Edit a Single Sign-On (SSO)
4 How to Delete a Single Sign-On (SSO)
5 Centralized SSO Config
6 SSO Form

A single sign-on (SSO) is an authentication process that allows users to access multiple applications with one set of credentials. You can configure enterprise single-sign-on (SSO) to be used for the Client Portal.

Quick Tips:

Some SSO providers do not allow for users to be logged in from multiple locations.
SSO email login is not case sensitive.

Client Portal with SSO configured

To get to the Single Sign-On (SSO) section, go to Maintenance > Single Sign-On (SSO).

Field Name	Description

Field Name	Description
Domain	The SSO domain.
SSO Provider	Name of the SSO provider.
Entity ID (URL)	Entity ID URL.
SSO Login URL	SSO login URL.
Certificate	Filename of uploaded certificate.
Template ID	ID and name of the internet user template. The internet users associated with the SSO domain will be linked to the customer record ID account selected on the internet user template.

SSO and Existing Local Accounts

When SSO is enabled for the Client Portal, existing local internet user accounts are not affected. They remain valid and users can continue to log in with their username and password exactly as before. Enabling SSO does not disable, modify, or remove any existing local accounts.

SSO works by creating new internet user records for users who log in via SSO for the first time, using their email address as the identifier. This means local accounts and SSO accounts can coexist within the same portal.

Migrating an existing local user to SSO

If you want an existing local user to authenticate via SSO instead, you must delete their local internet user record first. Because SSO creates a new internet user record using the email address, a pre-existing local record with that same email will block the SSO account from being created for that user. Once deleted, SSO will create a new record for them automatically upon their first SSO login.

Disabling a local account without deleting it

If you want to remove a local user’s Client Portal access while preserving their historical data, uncheck the Approved checkbox on their internet user record. This disables their login access without deleting the record or any associated history.

Login experience when SSO is enabled

When SSO is configured, the Client Portal login screen changes to a two-step flow:

The user enters their username or email address.
If the email matches an SSO domain, the user is redirected to authenticate with the Identity Provider (IdP). If it is a local account, the user is prompted to enter their password.

Users with local accounts will not notice any change to their login experience after SSO is enabled. The two-step flow only routes them differently at step 2 depending on their account type.

How to Create a New Single Sign-On (SSO)

Go to Maintenance > Single Sign-On (SSO).
Click the + button in the top right.

New SSO users will have a new internet user record created for them automatically upon their first login with SSO. You will need to set the Internet User Template to have the “Approved” checkbox enabled and a “Primary Customer” set to enable the new SSO internet user records. See https://cxtsoftware.atlassian.net/wiki/spaces/CXTsupport/pages/2604433409.

How to Edit a Single Sign-On (SSO)

Go to Maintenance > Single Sign-On (SSO).
Click the SSO you would like to edit or click the action menu at the end of the row and select Edit.

Quick Tip: You can open 2 edit forms by selecting the checkboxes of the SSOs and clicking the edit pencil icon in the top right.

How to Delete a Single Sign-On (SSO)

Go to Maintenance > Single Sign-On (SSO).
Check the checkbox of the SSO(s) you would like to delete.
Click the delete button in the top right.

Centralized SSO Config

Click the Centralized SSO Config icon to view or edit the information you need to submit to any new SSO identity provider.

Quick Tip: Credentials will be validated before the Centralized SSO Config are saved.

SSO Form

Field Name	Description

Field Name	Description
ID	Read only. Automatically assigned ID for the SSO.
SSO Provider Name	Name of the SSO provider.
SSO Domain	The SSO domain.
Entity ID (URL)	Entity ID URL.
SSO Login URL	SSO login URL.
Internet User Template ID	ID and name of the internet user template. New SSO users will have a new internet user record created for them automatically upon their first login with SSO. You will need to set the Internet User Template to have the “Approved” checkbox enabled and a “Primary Customer” set to enable the new SSO internet user records. See https://cxtsoftware.atlassian.net/wiki/spaces/CXTsupport/pages/2604433409 or https://cxtsoftware.atlassian.net/wiki/spaces/CXTsupport/pages/3043753989.
Certificate	Filename of uploaded certificate.
Attachment	Filename of uploaded certificate(s).