SSO: single sign-on use and set-up

Single Sign-On (SSO) enables convenient access to the Assessio platform using your organization's SSO credentials, eliminating the need for separate usernames and passwords. Simply use your organization’s unique SSO name or the provided link to access the Assessio Dashboard directly when signing in.

SSO facilitates easier access but requires an initial setup across your organization. During the first sign-in using SSO, users will be required to link their organizational account to their Assessio account by following the displayed instructions. Once linked, users can seamlessly access the platform without needing to sign in again. Organizations can decide whether to retain traditional username and password logins alongside SSO.

 

Start using SSO as a user

Single Sign-On (SSO) allows for easy access to the Assessio platform either by initiating the login process directly on the Assessio site (SP-initiated) or through your organization’s Identity Provider portal (IdP-initiated).

SP-Initiated Login

1. Visit the Assessio Platform: Navigate to Assessio.online.
2. Select SSO Login: On the sign-in page, choose “Sign in via SSO” at the bottom.

   

3. Enter SSO Name: Provide your organization’s SSO name. This is the SSO Alias that your organization has chosen for this purpose, most often this will be the name of your organization. If you are unsure of the SSO name, ask the Assessio contact person within your own organization.

   

4. Complete Sign-In: Click “Continue”. If this is your first time signing in with SSO, you will be asked to approve account linking. You will see a page indicating that an email has been sent. Follow the instructions in the email to approve the linking and access your Dashboard.

IdP-Initiated Login

1. Access via IdP Portal: Go to your Identity Provider’s app portal and select the Assessio icon.
2. Automatic Login: You will be authenticated automatically by your IdP and redirected to your Assessio Dashboard. For the first login, you will be asked to approve account linking. You will see a page indicating that an email has been sent to confirm account linking, as described in the SP-initiated login.

Both methods ensure a seamless transition into the Assessio platform without the need for repetitive logins, enhancing both security and user convenience. This setup requires initial configuration by your organization to establish linkages between Assessio and your chosen Identity Provider.

 

Set up Single sign-on for your organization

Your organization can set up SSO for all users if it already uses an Identity provider (IdP), such as Microsoft Azure or AWS Cognito. Below is a four-step process for setting up SSO, illustrated using Microsoft Azure AD as an example. However, similar processes apply when using other IdPs.

Setting up SSO

1. Request SSO from Assessio
2. Prepare SSO set-up for your organization
3. Fill in the SSO set-up form
4. Enable SSO (Assessio completes this step)

After SSO has been set up and enabled, each individual user will need to activate it once, to be able to use it for themselves. This last step of activating, or account linking, is described above; the first steps of setting up and enabling are each described in detail below, using Microsoft Azure AD as an example. We advise you to read through all steps before requesting SSO and to prepare for completing step 2 and 3, before initiating the set-up.

 

Step 1: Request SSO from Assessio

A request for SSO must come from the organization’s Assessio contact person, by email. And the request must be made directly to Assessio Support. Use the local Support email address for this:

-Netherlands: customersupport.nl@assessio.com

-Norway: info@assessio.no

-Sweden: support@assessio.se

Local support will create a ticket in the Assessio support system to enable SSO once all preparations of step 2 are completed.

 

Step 2: Prepare SSO set-up for your organization

To complete this step, you may need help from your organization's support or technical staff. Begin by defining your organization's SSO name, or SSO Alias. We recommend using the actual name of your organization as it should be easily recognizable and straightforward for users when initiating the login process using your identity provider (account linking). Ensure the SSO Alias is unique and URL safe, meaning it should contain only lowercase letters and cannot include special characters.

Using the SSO Alias that you have defined, complete the following 6 actions. Upon completion of these actions, you can move to step 3 of the set up process.

1. Create an Enterprise Application in Azure:
   • Create a new Enterprise application named "Assessio Platform."
   • Select "Integrate any other application you don't find in the gallery" (Non-gallery application).
   • In the application's overview, initiate setup by navigating to "Set up single sign-on" and selecting SAML as the single sign-on method.
2. Configure SAML Settings:
   • Identifier (Entity ID): Set this to https://auth.assessio.online/auth/realms/assessio.
   • Reply URL (Assertion Consumer Service URL): Replace “SSO-Alias” in the URL https://auth.assessio.online/auth/realms/assessio/broker/SSO-Alias/endpoint/clients/platform-saml with your chosen SSO Alias.
3. Attributes & Claims:
   • Set the Name identifier format to Email and configure the Source attribute to an email format (e.g. user.mail).
4. SAML Signing Certificate:
   • In the "SAML Signing Certificate" section, ensure to select "Sign SAML response and assertion."
   • Save the App Federation Metadata URL from this section. This URL contains all necessary SAML configuration details and should be provided to Assessio when completing the SSO setup form.
5. Redirect URL Configuration:
   • In Azure Active Directory > App registrations, allow an additional Redirect URL: https://auth.assessio.online/auth/realms/assessio/broker/SSO-Alias/endpoint. Replace “SSO-Alias” with your chosen SSO Alias.
6. Application Properties:
   • Change "Assignment required" to NO, or assign specific users as needed.
   • Set “Visible to users” to YES, if you want users to be able to use IdP-Initiated login (see above).

 

Step 3: Fill in the SSO set-up form

Your organization’s Assessio contact needs to fill in the SSO set-up form. Click the link to open the online form: SSO set-up form

The following information is required:

• Organization name
• Name of Assessio contact at organization
• Email address of Assessio contact
• Name of Account manager of organization at Assessio
• Chosen SSO Name (SSO Alias)
• App Federation Metadata URL
• Disable username login after successful setup (Yes / No)
• Additional comments, if needed

 Once you click on “submit” in the form, all provided information is sent to Assessio support. The information is used by Assessio support to complete step 4. The information is stored as long as the SSO remains enabled.

 

Step 4: Enable SSO

Assessio support will attempt to complete step 4 no more than two weeks after receiving the ticket to set up SSO for your organization. This will only be successful if step 2 and 3 are performed correctly. SSO will first be enabled without disabling the option to log in using username and password. If the SSO Set-up form indicates that username login should be disabled, this will only be done after confirming that SSO was set up successfully for your organization; your organization’s Assessio contact person will need to confirm this by email to the Account manager from Assessio, or directly to Support. Should SSO not be enabled two weeks after requesting it, contact your local Support directly.

 

Add new users to an organization that uses SSO

Setting up SSO applies to all users in the platform at the time of setup. New users are not automatically created by attempting to log in with SSO, but first need to be added from within the Assessio platform. In order to add new users, a person with the Recruitment admin role or Owner role needs to add them via the People page. Make sure the email address of these new users matches the one used in the Identity provider (IdP) of the organization.