For firms who wish to provide their users a simplified login experience, PensionPro offers the option to enable Single Sign-On (SSO) authentication. This authentication protocol utilizes Security Assertion Markup Language (SAML) to allow users to access PensionPro applications via their firm-managed identity credentials.
Implementing Single Sign-On is a highly technical process and requires consultation with the firm's Network Administrator.
Tier Availability: Business Bundle
- Security Rights
- Enabling SSO
- Using Single Sign-On
- Single Sign-On and Multi-Factor Authentication
The following Security Rights facilitate the Single Sign-On feature:
- Manage Single Sign-On: Allows the user to manage SSO settings.
- Secure Sign-On Exempt: Allows the user to log in using their PensionPro credentials, as opposed to logging in via the firm's identity provider.
Note: For a number of reasons, the above Security Rights are not provided to the System Administrator Security Role. These Rights must be assigned to a new Security Role, or assigned directly to an Employee. For this reason, PensionPro recommends creating a Super Admin/"Break Glass" account for the purpose of managing SSO. This account also acts as a failsafe method to access PensionPro should any issue prevent SSO from operating as intended.
To create a "Break Glass" account, add a new employee, then assign it ONLY the following Security Rights:
- Add/Edit Employee
- Manage Single Sign-On
- Secure Sign-On Exempt
- Security Management
Additionally, PensionPro recommends:
- Using an exceptionally strong password
- Turning on Multi-Factor Authentication for this account
- Keeping this account enabled (active)
For more information on Security Rights, refer to the article Security Rights & Security Roles.
Single Sign-On must be configured in two places before it can be used: the firm's identity provider, and PensionPro.
Before SSO can be configured in PensionPro, it must first be configured within the firm's identity provider. The following instructions assume that Azure Active Directory is being used as the identity provider; configuration details for alternate services are not available at this time.
Basic SAML Configuration
Requires the following values:
- Entity ID: https://app.pensionpro.com
- Reply URL: https://connections.pensionpro.com/release/SSO/AssertionConsumerService
Attributes & Claims
Select Add New Claim and provide the following values:
- Name: PensionProUserName
- Namespace: https://www.pensionpro.com
- Source: Attribute
- Source attribute: Must be set to the Azure Active Directory user attribute that maps to their existing PensionPro username.
- This attribute must be created for all users; any user without this attribute will not be able to access PensionPro unless they are assigned the Single Sign-On Exempt Security Right.
Note the SAML Thumbprint and save it for later; it will be necessary for PensionPro configuration. This Thumbprint is a unique identifier and should be kept secret. Do not share the Thumbprint or store it in an insecure location.
Set Up PensionPro
Note the Login URL that is provided and save it for later; it will be necessary for PensionPro configuration.
Security Rights Required: Maintenance, Manage Single Sign-On
Single Sign-On preferences can be found by selecting Maintenance > Preferences > PensionPro, then expanding the General view list and selecting Single Sign-On.
To enable Single Sign-On for all non-exempt users:
- Hover over Enable Single Sign-On, then select Edit on the right.
- Change the value in the dropdown to Yes.
- Select Save.
To prevent a total lockout scenario, SSO cannot be enabled until both the Manage Single Sign-On and Single Sign-On Exempt Security Rights are applied to at least one user in the system. If these Rights are not assigned properly, attempting to enable SSO will result in the following error:
The following settings must also be configured before SSO will function properly. Due to their technical nature, these settings must be configured by a firm's IT team; PensionPro can only provide limited support for these items:
- Identity Provider Sign-In URL: This URL should be supplied by the firm's identity provider.
- SAML Thumbprint: The unique SSO certificate issued by the identity provider.
Using Single Sign-On
When SSO is enabled, a non-exempt user attempting to log in to PensionPro is only required to enter the username associated with their account. If the username is valid, tabbing or clicking out of the Username field will gray out the Password field, and the Log In button will change to read Single Sign-On. At this point, selecting the Single Sign-On button will log the user into PensionPro.
Single Sign-On and Multi-Factor Authentication
If Multi-Factor Authentication (MFA) is enabled for PensionPro users, introducing SSO will turn off all MFA functionality for these users until SSO is disabled. If MFA is desired, PensionPro recommends utilizing the MFA settings offered by the firm's identity provider, which will integrate more effectively with SSO security.
Users with the Single Sign-On Exempt Security Right will remain governed by PensionPro's MFA settings, and will not use MFA established by the identity provider.