Technical

Options for Single Sign-On (SSO)

Follow

sso-1.webp

Single Sign-On improves security and makes the logging in process simpler for staff users. For example, if a user is already logged into their existing identity provider, then accessing Asset Bank could be as easy as clicking a link from their intranet.

It also removes the need to create new user accounts manually, as new staff members in parts of your organisation can automatically be mapped to the relevant permission group. As a result single sign-on is fast becoming the preferred login option for organisations. 

This article provides high-level details of the alternatives available for configuring your Asset Bank so that users do not have to enter a username and password each time they start a new session. Please note that all of these options except the 'remember me' cookie require a professional/enterprise licence.

Note: SSO is a Professional / Enterprise license feature. Set up fees apply. To enable SSO please contact our Customer Support Team.

Integration with a cloud-based SSO technology

There are many different SSO technologies available. Asset Bank’s authentication module has been designed so that we can easily develop new plugins to enable SSO (single sign-on) technologies to be used.

Please note that the following Google and SAML providers are only available with our hosted Asset Bank option, not when Asset Bank is installed on your servers (on-premise).

We have already developed plugins to enable Asset Bank to work with the following SSO technologies:

We can only configure one SSO method per site (for example you cannot configure Asset Bank users to login with both Azure AD and Okta), however you can use an SSO method alongside the default non-SSO (local) user logins if desired.


LDAP Integration

Please note that it is not possible to have LDAP integration for Asset Banks that host with us, however it is still an option for customers who choose to host Asset Bank on their own servers (on-premise).

If your organisation uses LDAP then integrating Asset Bank with your LDAP server is a good option. See How do I integrate Asset Bank with an LDAP server?

This does require Asset Bank to be able to connect to your organisation's LDAP server. If your Asset Bank is hosted externally then your IT team is unlikely to simply allow access. We have clients who have implemented this architecture using VPN tunnels, and we would be happy to discuss this option in more detail.


Active Directory and Integrated Windows Authentication

LDAP integration enables users to use the same username and password as they use to access their computers, but it does not in itself provide SSO.

If your LDAP server is Active Directory, and you use IIS as the web server for your Asset Bank, then we recommend using Integrated Windows Authentication. See Integration with a Web Server.


EncryptedURL Plugin

Asset Bank's ‘EncryptedUrlSSO’ plugin, enables a client's developers to show a link (e.g. on an Intranet) to Asset Bank that includes a user’s details encrypted and encoded, so Asset Bank can create them as a user (if it hasn’t seen them already) and log them in. See EncryptedUrlSSO Specification.

'Remember me' cookie

Asset Bank can show a 'Remember me' checkbox on the login page (this is turned off by default). If this functionality is enabled, and a user checks the checkbox, an encrypted token is stored in a cookie so that Asset Bank can log them in automatically next time they visit. No personal details about the user, other than the encrypted identifier, are stored in the cookie.
This functionality can be enabled by changing the following setting: allowAutoLoginUsingCookie=true

Related articles

Comments

0 comments

Please sign in to leave a comment.