Learn answers to common questions regarding Apricot Federated Single Sign-On (SSO).

SSO is available for Apricot users in the United States, Canada, and Australia. Only administrators can access the Manage Federated SSO page in Apricot.

SSO itself is not a two-factor authentication system, but it can work with an Identity Provider (IDP) that supports multi-factor authentication (MFA). MFA for SSO users must be done through an IDP, as MFA through Apricot is not supported.

Apricot Federated SSO only supports SAML 2.0 protocol.

Currently, we do not have the option for organizations to create their own login URL. or use a custom subdomain.

No, an Apricot administrator must add the user account and user permissions in Apricot separately from the IDP.

Each Apricot environment must have its own SSO configuration and unique SSO login URL. Users will not be able to log in to both environments with the same login URL.

Advanced Access Control user settings in Apricot do not apply to the Manage Federated SSO page.

Yes, guest users may log in to Apricot through SSO if they can authenticate their credentials through your IDP.

Certificate renewal must be handled through your Identity Provider (IDP). Bonterra does not provide assistance with managing or renewing certificates within your identity provider system.

The steps required depend on how your SSO configuration was initially set up in Apricot. If you provided a URL to your SSO certificate during the original configuration, Apricot will automatically pull the updated certificate when your identity provider publishes the new version. However, if you uploaded the certificate file directly to Apricot, you will need to delete and recreate the SSO configuration with the new certificate. Please note that recreating the configuration will generate a new login URL that must be redistributed to your users. The previous login URL will stop working immediately once the old configuration is deleted.