For organisations that require Single sign-on (SSO), EvaluAgent can be configured to work with your SAML2 compatible identity provider such as;
- Azure Active Directory (Azure AD)
Once your SAML provider has been configured you will have full control over which users must authenticate using SSO and which may continue to use a password-based login.
By following the navigation prompt, you'll be directed to the following screen
From here you can choose a Default Authentication Method. The option are:
- Password Logon - allow users to logon with a password and don't enforce SSO.
- SSO Providers - Any SSO Identity Providers you add will appear in this list. You can choose one of these to act as the default.
Create a new Identity Provider
You will see an option to "Add SSO SAML2 Provider" - Click this button and enter a descriptive name for your Identity Provider, i.e OneLogin, Azure AD, OKTA, etc. Once you've done that, press the "Create Provider" option and it will now appear in the table.
To set up SSO in your Identity Provider (IDP), you will need to access the Configuration Settings in EvaluAgent. By clicking the View button alongside your newly created Identity Provider, this will present the Saml provider configuration settings that you will need to enter into your IDP in order to allow EvaluAgent to authenticate users against your directory.
Attributes / Claims
You will also need to configure your SAML provider to send an attribute named 'email' that we use to identify each user.
The claim should be called `email` and its value should be an attribute of `user.mail`. An example of this configuration in Azure AD is shown below;
Please Note: When setting up the `email` Attribute/Claim on Azure AD the namespace field should be left completely empty.
Once your directory is configured, you will need to add its Identity Provider settings into EvaluAgent. Click the ‘Edit’ button alongside the provider that you added earlier, and you should see the following form.
This form must be populated with the settings that originate from your Identity Provider. Once this is done you can press ‘Update provider’ and your SSO provider should be ready to use.
Testing Single Sign-On
Before switching all users in your organisation to your newly configured SSO provider, we recommend testing that all of the necessary configurations have been carried out correctly by assigning the SSO authentication method to a single user.
To do this, you will need to access the User Management menu from the Navigation bar and then click on the option Add & Edit Users. Then, find a user that you would like to use for testing, and then click the Edit button next to their name. Change this user’s ‘Authentication method’ to the new SSO provider then click ‘Update user’.
Note that only SSO providers that have been fully configured will appear in this list, so if you do not see your new provider then please go back and check that all settings have been entered correctly.
This user should now be able to sign in to Evaluate using your SSO sign-in flow.
Use SSO as the default method of authentication
Once you’re happy that SSO has been configured correctly, you can now set it to be used as the default authentication method for your organisation. Navigate back to the Single sign-on tab on the Security settings page and change the ‘Default authentication method’ to your new SSO provider. This provider will then be used for new users that are created in the system, and you will be prompted whether existing users should be assigned this authentication method too.
It is recommended to do this if you would like most of your users to log in with SSO. The authentication method for individual users can be configured on the Users page as described earlier in the ‘Test single sign on’ instructions section.