Setting Up Federated Single Sign-On (SSO) (Admin)

In this article:

• Enabling Federated SSO for Use 
• Setting Up Federated Single Sign-On for Your Users

Federated single sign-on (SSO) is an authentication approach that allows your users to sign in to multiple applications (like Actionstep) using a single, trusted identity managed by an external identity provider. Instead of Actionstep storing and validating usernames and passwords, Actionstep relies on the identity provider to verify the user and securely pass along proof of authentication. This helps reduce password fatigue for users, improve security through centralized identity controls (like MFA and access policies), and simplifies administration by allowing access to be managed in one place rather than separately for each application.

Specifically:

• Firm admins can add Actionstep to their registry of approved federated apps and manage their configuration within Actionstep.
• Actionstep can detect active sign-ins from the federated ecosystem of apps.
• Admins can also restrict access based on conditional sign-in and device-management policy violations.
• Federated SSO is SAML 2.0-compliant.

Once federated SSO has been set up for your firm, the Actionstep Sign-in page will include a new option for users to sign in to the system. 

If users attempt to use a username/password or the Microsoft or Google options, they will be reminded to sign in using federated SSO. 

Enabling Federated SSO for Use 

To beta test federated SSO, you must first enable it. 

To enable federated SSO:

1. In Actionstep, go to Admin > General settings.
2. In the Feature Preview section, toggle the following settings to on:
   • Enforce MFA and SSO
   • Federated SSO
3. Click Save to save your changes.

Setting Up Federated Single Sign-On for Your Users

To set up federated SSO, your firm’s IT or Identity & Access Management (IAM) team must complete three required parts:

• Part 1: Adding and Validating Your Domain(s)
• Part 2: Configuring SAML 2.0
• Part 3: Enabling Federated SSO for Your Users

These steps ensure secure, firm-wide authentication and should be completed in order.

Part 1: Adding and Validating Your Domain(s)

A domain is what links a user’s email address to the correct identity provider and determines who is responsible for authenticating that user. You can set up as many domains as needed. 

To do this:

1. In Actionstep Practice Management, go to Admin > Users & permissions. The Users & Permissions page appears.
2. Click Authentication Settings on the right side of the page. The Authentication Settings page appears.
3. Click Federated Settings from the options on the left. 
4. In the Your domains section of the page, click Add a domain. The Add a Domain window appears.
5. Enter your domain in the Domain field. Your domain is added to the list. 
6. Click Verify Domain. The Verify Your Organization Domain page appears on a new browser tab.
7. Enter the domain you added in Step 5 in the field and click Continue. The Add DNS Records for [Domain] page appears.
8. Follow the on-screen prompts to sign in to your AWS console and create the DNS record.
   
   Once the record is verified, the Domain Verified page will be displayed.
   
   
9. Click Back to Actionstep. This page will be closed and you will be returned to Actionstep. The domain will be listed as Verified on the Federated Settings page.
10. Continue to Part 2 to set up SAML 2.0 (if it’s not already set up for your system).

Part 2: Configuring SAML 2.0

Once you have at least one domain validated, you can configure SAML 2.0, which is a standard for authentication that allows users to sign in using credentials managed by another system. In short, it allows your firm's identity provider (like Azure AD or Okta) to verify user identity without the application seeing passwords.

To complete these instructions, you will need to have access to your identity provider’s admin center. 

To do this:

1. Make sure you’re viewing the Admin > Users & permissions > Authentication settings > Federated Settings page and that you’ve added and validated your domain, as described in Part 1.
2. In the SAML connection section, click Connect. The Select Your Identify Provider page appears on a new browser tab.
3. In the Find your provider list, select your identity provider. A multi-step walkthrough for your provider is displayed. 
4. Using the instructions on the page, follow the on-screen prompts to complete the setup. This will require you to work concurrently in your provider’s admin center.
   
   Once SAML is connected, the indicator in the SAML connection section is updated to indicate this. (You can click Change to make any updates to the connection.)
   
   
5. Continue to Part 3 to enable federated SSO for users at your firm.

Part 3: Enabling Federated SSO for Your Users

Once domains are verified and SAML 2.0 has been configured, you can enable the sign-in protocol for your users. 

To do this:

1. Ensure you've set up and verified a domain as described in Part 1 and configured SAML 2.0 as described in Part 2. 
2. Go to Admin > Users & permissions > Authentication settings. The Authentication Settings page appears.
3. Click Core Settings on the left side of the page.
4. Toggle Enable Single Sign-On (SSO) to on. 
5. Click the Preferred SSO Provider drop-down list and choose Federated SSO.
6. Click Save to save your changes.

Related Articles:

• Signing in with Microsoft or Google Single Sign-On (SSO)
• Enforcing Multi-Factor Authentication or Single Sign-On for Users (Admin)