# Organization single sign-on
Single sign-on allows you to employ your existing organization identity provider as the sign in system for members of your organization.
This allows members of your organization to bypass the Civillo registration and sign in and gives you full control over the users account from your organization identity provider.
Civillo single sign-on uses "Security Assertion Markup Language (SAML)" to verify sign in authorization sent from your organization identity provider.
TIP
Civillo can only act as a service provider in single sign-on. There is no support for acting as the identity provider. An external identity provider is required.
# Initialization
Single sign-on in Civillo is currently only available on request. If you wish to use single sign-on for your organization, you must contact Civillo support at support@civillo.com to request access to this functionality.
To setup single sign-on for your organization, you must first meet some requirements in Civillo.
1. Register for a Civillo account manually.
A Civillo account is required so you can at least sign in to Civillo to setup single sign-on.
2. Your organization must have been created in Civillo.
You'll need to contact Civillo support to have your organization added to Civillo. This will usually be setup as part of the onboarding process when your first project or trial is setup.
3. You must have the role of organization administrator in Civillo.
Only users with this role have permission to change settings that affect the organization as a whole.
4. Single sign-on made available to your organization and your organization email domain verified.
Please contact Civillo support to have this functionality made available for you, it is not available by default. Civillo support will verify your organization email domain the process.
After the initial requirements are met, you can access the Single sign-on settings page by navigating to Administration, opening the Organization item and finally selecting the Single sign-on page.
# Settings
All fields required for setting up single sign-on are available from the Administration -> Organization -> Single sign-on page
The values for these settings will be available from your organization identity provider.
TIP
Currently there is no support for importing an identity provider metadata file directly. The provided single sign-on settings fields must be entered manually.
# Domain
The domain is how Civillo determines which users will be eligible (or restricted) to signing in using the organization single sign-on. You must contact Civillo support to set or update this field as domain verification is currently done manually.
# Domain restriction
By default when using single sign-on, Civillo allows users to decide if they wish to sign in with either their Civillo credentials or their organization identity provider credentials via a prompt after entering their email address on the sign in page.
Sign in can be restricted to only use organization identity provider single sign-on by enabling the Restrict domain to single sign-on only setting here. In this case, no prompt will be available to the user and they will be redirected automatically to the organization identity provider sign in page.
# Identity provider sign-in URL
The URL of the organization identity provider single sign-on page should be set here. Users will be redirected here for sign in. After the identity provider authorizes the user, it is expected they will be redirected back to Civillo with an appropriate SAMLResponse.
# Identity provider sign-out URL
The URL of the organization identity provider sign-out page can be set here. If set, after signing out from Civillo, single sign-on users will be redirected to this page to attempt to sign out from the organization identity provider.
# Identity provider sign-out protocol
The binding protocol that your organization identity provider sign-out page is expecting. This defaults to HTTP-REDIRECT, however if your identity provider expects HTTP-POST, then this value can be changed here.
# Signing certificate
A public signing certificate is required from your organization identity provider so that Civillo can verify that any single sign-on SAMLResponse has been made and authorized by the organization identity provider and not an unexpected source.
# Enabling single sign-on
After the correct identity provider settings are entered, you can enable single sign-on by the toggle in the top right of the page.
If for any reason single sign-on has a problem, it can be disabled by disabling the toggle in the top right of the page.
# Identity provider setup
Depending on your organization identity provider setup, you will need to set some settings related to Civillo in the identity provider so it knows where to send sign in responses and how to structure the SAMLResponse.
# Audience
The SAML audience is a unique identifier (also known as issuer or identifier) to help your identity provider identify Civillo as a service provider. This value needs to be set to https://app.civillo.com/sp.
# Sign-in callback
# URL
After a single sign-on request from Civillo has been authorized, the SAMLResponse should be sent to the Civillo SSO callback URL which is
https://app.civillo.com/i/user/ssoauthorize. This needs to be set in the application settings of your identity provider. It is usually named something like Assertion Consumer Service (ACS) or
# Mappings
The SAMLResponse must contain the following attribute mappings which are required by Civillo.
{
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
}
# Sign-out
# URL
If you wish to have your organization members sign out from Civillo after signing out from your identity provider, they should be redirected to the Civillo sign out page using HTTP-REDIRECT binding.
https://app.civillo.com/i/user/signout
# Reverting back to Civillo credentials
If for any reason you wish to revert your organization back to using Civillo credentials, you can just disable single sign-on using the toggle in the top right of the page.
TIP
When reverting back to Civillo credentials, any users who originally automatically registered by signing in with single sign-on, a password can be generated for them by using the password recovery (opens new window) service.