In this article, we will explain how to configure a new SSO application capable of communicating with the Axur Platform. Follow the sections to make the necessary configurations.
Part 1: Configure your Identity Provider (IdP)
You will need to configure a new SAML application in your Identity Provider. Several providers are capable of offering this type of service. Below we list some IdPs, with specific tutorials. It is important to highlight that the list contains “approved” providers (i.e., they have our trust and reliability to provide this functionality for our users):
Part 2: Create a new SSO configuration on the Axur Platform
To create a new application on the platform, follow the step-by-step instructions in the images:
Click on the API & Integrations tab
Find the SSO section
Create a new configuration as shown in the images. We show both an example using a file upload and a URL to provide the metadata:
Regarding the fields you need to fill: * Select the IdP: This refers to the Identity Provider where you’ve setup SSO. It can be selected using the menu. If none of the existing providers match, select None. * Session duration: Specifies how long the sessions on the platform should last, in days. Common values are 7 and 14. * SAML Metadata: This can be either a
.xmlfile, or a URL. Make sure they contain valid.xmlcontent. If you downloaded the file or copied the link directly from your provider and made no changes to the content, everything should work fine.Verify that the new application is listed correctly, as in the example:
After completing all these configurations, both in the provider and on the Axur Platform, it’s time to test the login. To do this, follow the steps below:
Log out of the platform.
On the login screen, add your email and click Login with SSO. You will receive the following message on the screen:
Check your email and look for the title Continue with Single Sign-On sent by Axur. Click the Go to SSO button.
You will be redirected to your IdP for authentication. After logging into your IdP, verify that you have been correctly redirected to the platform.
SSO Update
During the setup of data on your IDP, an expiration deadline is established. As the expiration date approaches, it is necessary to generate a new XML and update it on the Axur Platform.
The update must be carried out on the same interface used for the initial setup.
To perform the update, you will need to:
1. Access the API & Integrations option in the gear menu.
2. Look for the configuration already made.
3. Click on Edit SSO.
4. Delete the current XML.
5. Upload the new XML generated on your IDP.
6. Save the settings.
If you are unable to perform the setup, you can request support from the Customer Care team via email at [email protected].
FAQ
Can I configure more than one IdP for a single organization on the Axur platform?
No. Currently, the platform supports only one IdP per organization.
Can multi-factor authentication (MFA) be used alongside SSO?
Yes. MFA should be configured directly in the IdP to add an extra layer of security.
Can I switch between SSO and email/password login?
No. Once SSO is activated, traditional login is disabled for all users in the organization.
If I disable a user in the IdP (Identity Provider), will they be automatically deactivated in Axur One?
Disabling a user in your IdP does not automatically deactivate them on the Axur Platform. To permanently deactivate a user on the Axur Platform, you need to do so from the "My Team" page by clicking the three dots on the right side of the user's email.
Can an SSO user create a non-SSO user on the platform?
It depends on the domain configuration in the SSO. If the email domain is not mapped in the SSO configured for the customer, the SSO user can create a non-SSO user normally.
On the other hand, if the domain is mapped in the SSO, any new user with that domain will automatically be treated as an SSO user — even if they are manually created on the platform.
Example:
If the domain axur.com is configured in the Axur customer's SSO, any user with an @axur.com email must be authenticated via SSO.
In other words, even if that user is manually created on the platform, they will also need to be activated in the IdP (identity provider).
What should I do if a user cannot log in after configuration?
Verify the following:
The mandatory claims (first name, last name, email, and group) are correctly configured in the IdP.
The user is assigned to the correct group for platform access.
Can I configure multiple profiles for a single user?
No. Each user must be associated with only one group (profile) at a time.
How to change the permissions of an SSO user?
It depends on the change you want to make to the SSO user:
Groups are defined in the IdP:
Viewer
Analyst
Expert
Manager
Custom
Permissions are defined on the platform by Managers only
Access to features (for Custom users only)
Access to Assets
Access to Workspaces and Ticket types
When accessing via SSO, it is necessary to click on the “Login with SSO” button, and then an e-mail will be sent with the link to access via IdP. Will access via SSO always be this way, via a link sent in the e-mail? Or does it only have to be this way for the first login?
We have implemented a cookie in the browser so that for 30 days the user does not need to access the e-mail again. After this period or if the user clears the cache, the flow should start again. This flow is a security measure to prevent it from being possible to find out who Axur's customers/users are by brute force.
If you have any questions, feel free to reach out at [email protected] 😊