Enabling SSO Authentication

Overview

Single sign-on (SSO) refers to the ability for Octave users to log in with their enterprise credentials to get access to Octave seamlessly as they do for most applications they are using in their day to day work. SSO solves key problems for the business by providing:

  • Greater security and compliance as users only have to remember a single set of credentials. With SSO, users won’t have to enter a different password for each application, which often results in password reuse or easy to guess passwords. This also permits to enforce the company password rules (length, rotation).
  • Improved usability and employee satisfaction with seamless login.
  • Reduced IT costs related to users provisioning and de-provisioning upon departure, ensuring that former employees or partners can’t access sensitive data.

With SSO enabled, every time users authenticate to Octave with their email matching your company’s domain, they will automatically be redirected to your OpenID Connect (OIDC) SSO provider. If they already have a session open with their company’s identity provider, they will automatically be logged in to Octave without any additional actions.

To enable single sign on in your account, please contact your reseller or your Sierra sales representative.

Prerequisites

The following prerequisites must be met before you can enable SSO:

  • Your identity provider must support OpenID Connect (OIDC) as an authentication protocol.
  • You must be the account administrator to configure the SSO.
  • Verify that all UI users' email addresses are real (avoid aliases for example, that are not working for some identity providers).

SSO Option Pricing

The pricing for SSO can be found here

SSO Frequently Asked Questions

Do I need to configure user accounts in Octave if SSO is enabled?

Yes, Octave and the Sierra Cloud as a whole delegates the authentication but not the authorization. You still need to configure the Octave application-specific permissions you want to give to each user. Also each user can provide their user details such as the phone number, but not for the MFA configuration. Even if the password field is still available, it is no longer used when SSO is enabled.

Does SSO impact API users?

No, API users are not redirected to the Identity Provider. If the user is using the Resource Owner Flow, the password associated to the user will still be used.

How will users outside of the SSO-configured domain log in?

SSO will only be applied to the users with email addresses matching configured domains. For other users from your company or partners, the standard authentication based on email and password will still apply.

Do I need to open additional ports in the company firewall?

No, we are using the same ports as the ones used for Octave

Is SSO compatible with multi-factor authentication (MFA)?

All users associated to the SSO configuration will use the configured identity provider. This company identity provider may itself use MFA.

Which users in my enterprise will benefit from SSO

All users with e-mail adresses in you enterprise domain name will use the identity provider, with a maximum number of 100 users at any time.