Single Sign-On Best Practices
Overview
Consider the following conditions and best practices when implementing and using Single Sign-On (SSO) to access Aria.
Setup and Login
- Aria supports SAML version 2.0 protocol only.
- Aria supports up to one single IdP per client at a given time. However, the same IdP may be used to connect to multiple Aria clients.
- SSO permits users with role levels from 0 to 9 to login through an external IDP. If the user has an Aria Administrator role level, then Aria requires login using the default Aria login screen.
Using Aria with SSO
- SSO users cannot modify their Aria application login credentials within the User Profile section of Aria. However, these users can still access their Aria User Profile to update the following information:
- First Name
- Last Name
- Aria’s application time-out function applies to SSO users. By default, if the Aria application times out, which occurs after a maximum of 15 minutes of inactivity, the user is redirected to the IdP’s SSO portal where they must login again before regaining access to Aria. However, whether the user is required to login again as opposed to automatically being logged back in is fully dependent on each implementation of SSO.
- Admin users who require access to multiple clients may access these clients in Aria without being prompted to login again, provided that these clients are linked to the same IdP that was used during sign-on. Exceptions to this rule are as follows:
- If an Admin user logs into Aria using Aria’s standard (non-SSO) IdP, the user may access multiple clients without being prompted to login again.
- If an Admin user is logged in and then attempts to access a client that is not linked to the same IdP, the user is prompted to login using Aria’s standard (non-SSO) IdP.
- If an Admin user is logged in and then attempts to access a client that is linked to a different IdP, Aria automatically redirects the user to login using the new IdP.
- A user belonging to “Client A” cannot login to “Client B” in Aria using the external IdP for “Client A.”
Single Logout
- Aria supports the ability to single-log out from a non-Aria IdP.
- If a user has two instances of Aria running and chooses to log out of one of these instances, Aria automatically redirects the user to the SSO portal to enter their SSO credentials. The SSO credentials must be reentered and validated in order to regain access to Aria. This is applicable only when single log-out is implemented.