Learn how to configure Single Sign-On (SSO) for Voice Assure, using SAML to securely verify user credentials by connecting Service Providers (SPs) with Identity Providers (IdPs).
Simplified Explanation of SAML and SSO
SAML (Security Assertion Markup Language) is a standard protocol that powers Single Sign-On (SSO) authentication. While SSO allows users to log in to multiple accounts with one set of credentials, SAML acts as the "rulebook" for securely handling these login requests.
Example in Action:
In this example, Auth0 is the Identity Provider (IdP) that TestCustomer uses, and Voice Assure is the Service Provider (SP).
- A TestCustomer employee signs into their dashboard using Auth0.
- When they visit
testcustomer.spearline.com
, Voice Assure detects that the user wants to log in via SAML. - Voice Assure sends a SAML Request to Auth0, asking it to authenticate the user.
- Since the employee is already authenticated with Auth0, Auth0 verifies the session and sends back a SAML Response.
- Voice Assure validates the response, and if it checks out, the employee is granted access to the platform.
This flow ensures secure and seamless access via the trusted relationship between Auth0 and Voice Assure.
How SAML and the Trusted Relationship Work
-
Identity Provider (IdP): Authenticates the user and sends a SAML assertion (containing identity and authorization details) to Voice Assure via the Assertion Consumer Service (ACS) endpoint.
-
Assertion Consumer Service (ACS): Processes and validates the SAML assertion to confirm its authenticity and integrity.
-
Voice Assure (SP): Trusts the IdP (via the ACS) and grants the user access to the requested resource based on the assertion.
The ACS acts as the secure bridge between the IdP and Voice Assure, ensuring the trusted relationship is maintained and enabling secure, seamless SSO.
Steps to Configure SSO
- Customers using APIs must provide a list of API user accounts that will interact with the platform to ensure compatibility.
- The email attribute containing the user's email address must be included in
the attributes received from the IdP.Tip: Cyara request that you name the attribute
emailaddress
,email
, ormail
. This email will then serve as the user ID in Voice Assure. - Customers must complete their SSO configuration and submit the IdP Metadata
XML file, along with the list of API user accounts (if applicable) to Voice Assure Support.Tip: When opening the ticket with support please include a note explaining that you are requesting SSO to be configured for your company and you are providing the details that were requested in this article.
- Support will then open a ticket and forward the information to the Engineering Team for SSO setup.
- The Engineering Team will complete the configuration and provide the updated SP Metadata file to Voice Assure Support.
- Support will send the updated SP Metadata file back to the customer for testing.
- Customers test the login to confirm that SSO is functioning correctly. Once verified, Cyara can disable legacy login, ensuring users can log in only via SSO and not with a username and password.
- Once Cyara has disable legacy login, the SSO setup is complete.
SAML Flow
After implementation the final SAML flow will be as follows:
- Cyara creates an ACS instance formatted as
https://[customer].spearline.com
, where[customer]
is replaced with a unique name chosen by the customer. - Users access the ACS domain, and are redirected to the company’s SSO portal for authentication.
- After successful login, users are redirected back to Voice Assure, which
retrieves their email address from the SSO portal.Restriction: If the user's email doesn’t exist in the Platform, the login attempt will be rejected.
Important things to Note
- SSO does not work for APIs
- Existing users already on the Platform will automatically log in via SSO once configured.
- New users must be manually added by the customer before their SSO login will work.
- No welcome email is sent when a new user is created.