This article is intended for administrators.
- 🗒 Instructions by service
- 💻 Generic instructions
- ❌ Deactivation of SSO for specific employees
- 🙋🏽♂️ Q&A
Single Sign-On (SSO) allows you to use your usual login method to log into Elevo. This means your users don't need a new password for Elevo and can log in seamlessly.
⚠️ Single sign-on is a different feature from user synchronization. Only users added to Elevo will be able to log in using a single sign-on.
Elevo supports single sign-on with all identity services using the SAML 2.0 protocol (e.g. Google Workspace, Microsoft Azure Active Directory, Auth0, Okta, OneLogin, etc.)
🗒 Instructions by service
Below are the set-up instructions for the main suppliers:
💻 Generic instructions
If your service is not listed above, follow these instructions.
1️⃣ Contact our support@elevo.io who will provide you with the following information:
- ACS Dedicated URL
2️⃣ With these settings create a SAML 2.0 access on your identity service with:
- Service name: Elevo
- ACS URL: provided by Elevo Support
- Entity ID: https://app.elevo.fr/sp
- Name identifier: choose email
- If you can put a logo: here is the file
3️⃣ Send back to support@elevo.io the information provided by your identity service, most of the time it is an XML file containing the necessary metadata.
4️⃣ For some identity services it is necessary to authorize your users on the new SAML 2.0 access you created in step 2.
💡 Please note that we currently do not offer dual authentication (2FA). However, by enabling SSO it may be possible to enable 2FA directly through the provider if they offer it.
❌ Deactivation of SSO for specific employees
For even more flexibility in managing your employees, it is now possible to deactivate SSO for one or more employees individually. They will then have to log in by creating a password.
To do this, go to Directory > Affected employee > and indicate "Yes" or "No" in the SSO field. It is also possible to synchronize this field in SFTP (Synchronize users via SFTP) or during a manual import (Add, import or update users).
Use case ➡️ Users with multiple email addresses or other email addresses that are incompatible with the SSO connection.
💡 Please note that external users always have the use_sso value set to "No" → they cannot login via SSO and have to use their email or username + set a password.
🙋🏽 Q&A
➡️ Is my Identity Provider supported? What version of Active Directory is supported?
Any Identity Provider that is using SAML 2 will be able to interface itself with Elevo.
➡️ How do I filter people for access on the Identity Provider side? Should I create an AD group, a Business unit, etc.?
Elevo uses SAML only for authentication. Authorization is managed through the application itself, either manually, through an interfacing with your HRIS’ API, or an SFTP connexion. In particular, we don’t provision user accounts on the fly through SAML. As a result, you can always narrow down the list of user authorized to login on your end, but this is not required.
➡️ Do you have a staging environment to test the interfacing?
We have multiple ways to test the SAML connexion before enabling it for everyone in production:
- Test on a subset of users on your live organization
- Provision a test organization on our production environment
The type of test that best suits you will be discussed and chosen by our Customer Success team to best fit your situation.