Skip to main content

Single Sign-On (SSO) Feature

Single Sign-On (SSO): Streamlined access, enhanced security.

Judi Zietsman avatar
Written by Judi Zietsman
Updated over 3 weeks ago

Quick Summary: This article explains how Single Sign-On (SSO) works in the app, providing the necessary terminology, requirements, configuration steps, and ongoing maintenance needed to implement and manage SSO successfully.

Why Single Sign-On Matters

Single Sign-On allows users to access multiple applications with a single set of login credentials. This enhances security, alleviates password fatigue, centralizes authentication control, and eliminates the need for users to remember separate app-specific passwords.

Once SSO is enabled, all users will log into the app through the Identity Provider rather than using their previous app credentials.

Terminology

  • Single Sign On SSO: An authentication process that allows access to multiple applications using one set of credentials.

  • Security Assertion Markup Language SAML: A standard used to transfer identity data between applications.

  • Identity Provider IdP: The service that authenticates users such as Microsoft Entra ID.

  • Service Provider SP: The application that relies on the Identity Provider for authentication such as the app itself.

  • NameID: The unique identifier used to represent the user such as an email address.

Requirements

Your Identity Provider must meet the following conditions:

  • It supports SAML

  • It supplies an email address as the NameID

  • The NameID email addresses match users in the app

How to Set Up Single Sign-On (SSO)

The setup involves exchanging configuration details between Netstock (Service Provider) and your company’s Identity Provider (IdP).

Step 1: Obtain Service Provider details

  1. In the app, navigate to the Settings section > Configuration screen > Access tab and select Enable SSO for all users.

  2. Do not save this change yet. Enabling it immediately will block normal login.

  3. Click Show Service Provider details to view the information required by your Identity Provider.

  4. Copy the details for use in Step 2.

Step 2: Configure the Identity Provider

  1. In the Identity Provider, create a new application for the app and configure it to use:
    • SAML protocol
    • Email addresses for the NameID

  2. Enter the Service Provider details obtained in Step 1.

  3. Grant access to users or groups that correspond to valid users in the app.

Step 3: Configure the app

Return to the app and go to the Settings section > Configuration screen > Access tab. Enter the following values copied from the Identity Provider:

  • Entity ID: The Identity Provider identifier

  • SSO URL: The Single Sign On URL

  • SLO URL: The Single Logout URL

  • Certificate: The PEM encoded public key

The certificate must begin with:
-----BEGIN CERTIFICATE-----

and end with:
-----END CERTIFICATE-----

Important: Once SSO is enabled, app specific passwords will no longer work.

After entering the information, click Update. All users will receive an email explaining that the login process has changed.

The login page will now include a button to log in with SSO.

Do not log out of your current session. Continue to Step 4 to test the configuration.

Step 4: Testing

  1. Open a separate device, browser, or private browsing session to test SSO without interrupting your current session.

    • Attempt to log in using your normal Identity Provider credentials.

    • If you have never had access to the app before, ask a colleague with access to test instead.

  2. If login fails, verify all values entered in Steps 1 to 3.

  3. If SSO still does not work, use your still active session to go to the Settings section > Configuration screen > Access tab and untick Enable SSO for all users. Then click Update. This will restore normal authentication and send notifications to all users.

Maintenance

Adding users

When a new user is added in the Identity Provider, create the same user in the app and assign the correct access levels and locations.

Removing users

If a user is removed in the Identity Provider, delete the user in the app to keep the instance tidy.

Maintaining users

Access levels must always be managed in the app itself.

Certificate expiry

The Identity Provider certificate stored in the app will eventually expire. Set a reminder to replace it before the expiry date. If the certificate expires, users will not be able to access the app. If you are locked out, contact support for assistance in updating the certificate.

⚠️ Watchouts

  • Login failure recovery: If the login test fails after setup, immediately use your still active session to uncheck Enable SSO for all users and click Update. This restores password based logins and prevents lockouts while you troubleshoot.

  • Certificate expiry: If your IdP certificate expires, users will be unable to log in through SSO. Contact support for assistance replacing the certificate.

💡 Tips

  • Test at quiet times: Test SSO setup during low usage hours to reduce disruption.

  • Validate user emails: After enabling SSO, review all active users in the app to confirm each has a valid matching email address in your Identity Provider.

Forget about these 👇 😞 😐 😃 Have your say here!

Related Articles
Mastering User Management in Netstock
SaaS Whitelistings
Two-Factor Authentication (2FA) Explained
Security & Compliance
Access - Two-factor authentication
Did this answer your question?