Single Sign-On

R-Service can be configured to use an organization’s existing identity provider (such as Microsoft Active Directory, Microsoft Azure B2C, OneLogin, the Okta Application Network, etc.) instead of R-Service’s own authentication mechanism to determine whether a user should be able to access R-Service.

By using an existing identity provider, the organization’s R-Service users (including the end-users who need to be able to use Self Service) will not require a separate password to access R-Service.

SSO Protocol

The following single sign-on protocols are supported:

Using the SSO Configuration of the Directory Account

Support domain accounts are able to use the single sign-on configuration of their directory account. After SSO has been enabled in a directory account, the checkbox ‘Login using SSO configuration of directory account’ becomes available.

SSO Configuration of Directory Account

Checking this box hides any SSO protocol specific section. The values for these fields are obtained from the directory account when this feature is in use.

Multiple Identity Providers

When some users are sourced from a different Identity Provider R-Service offers the possibility to add multiple SSO Configurations. By default users are redirected to the Primary SSO Configuration on login. Aternative SSO Configurations are accessible using a special Login URL using a reference that you can define in the SSO Configuration form in case multiple SSO Configurations are defined.

Debugging

If SSO has been enabled for a R-Service account, but it does not appear to work, then the account owner can access R-Service again by adding /access/normal to the URL of the R-Service account. Once the owner is back in R-Service, the System Logs section of the Settings Console can provide some useful information about why SSO is not working. Whenever there has been an authentication failure, an entry will have been added to the log with an explanation of what went wrong.

Authentication Log

Also keep in mind that the clock of the servers of the identity provider need to be synchronized. If the clock is more that 2 seconds out of sync, the response from the identity provider will not be accepted by R-Service.

If SAML is the protocol used, then another useful source of information is the SAML meta data.