Single Sign-On (SSO)

Overview

Single sign-on (SSO) is a system that lets users log in to multiple applications with a single set of credentials.

How SSO works 

A user logs into an application using their SSO ID. This allows the user to be automatically signed into other connected applications, enabling access to multiple applications without needing to re-enter their credentials.

Benefits of SSO

• Enhanced security: SSO can help enforce stronger password security policies and simplify the password reset process.

• Enhanced user experience: SSO simplifies access to necessary applications.

• Simplified password management: SSO can simplify the process of managing multiple usernames and passwords.

Driver Support for SSO

Driver supports various enterprise SSO protocols. This document will outline these protocols, define key terms to ensure clarity among all users, and suggest a preferred approach when no other specific customer requirements are provided.

Terminology

Protocols

• OIDC (OpenID Connect): An open standard for authenticating and authorizing users built on OAuth 2.0.

• SAML (Secure Assertion Markup Language): An open standard that specifies how to exchange authentication and authorization data between parties.

Systems

• Active Directory (AD): A directory service for managing users and resources on an organization's network. When used alone, this typically refers to an on-premises deployment that may not be accessible outside your network—this is where ADFS, Azure AD, and Entra ID come in (described next).

  • Active Directory Federation Services (ADFS): Software that enables single sign-on access to systems and applications across organizational boundaries. Organizations can expose their on-premises Active Directory to our service for SSO through ADFS, which supports both SAML and OIDC protocols.

  • Azure Active Directory: A cloud-based identity and access management service that your employees can use to access external resources.

  • Microsoft Entra ID (formerly Azure Active Directory): A cloud-based identity and access management service that your employees can use to access external resources.

• Google Workspace: Business software system that also provides organizational user management.

Customer Requirements

Driver integrates with all the systems and protocols mentioned above. To determine which authentication system to use, we'll need to understand your requirements:

1. Which SSO systems do you have available?

   1. Which of these systems can integrate with external SaaS providers?

   2. Which SSO system or directory contains the users who need to access Driver?

2. Which protocol should we use with your chosen SSO system? While some systems dictate the protocol, others offer flexibility in this choice.

If your organization has no preference between OIDC and SAML, we recommend OIDC since it's Driver's native protocol.

Recommend OIDC Mechanism

OIDC connections work by sharing a connection metadata file and client ID (a string). The customer creates these and provides them to the Driver. The file can be provided either by URL or as a JSON formatted document.

• Connection Metadata File: This is the .well-known/openid-configuration endpoint. Microsoft EntraID instructions for the location of the URL are located here.

• Client ID: This is a string.

• Channel Type: Choose one of

  • Front Channel (Uses response_mode=form_post and response_type=id_token)

  • Back Channel (response_type=code) Note: Back Channel requires an additional Client Secret

The only information that you need from Driver is the Callback URL: https://auth.driverai.com/login/callback

SAML Mechanisms

SAML connections can be configured in multiple ways depending on your system. If your system isn't listed here and you need SAML, contact your account representative for help with configuration.

Configuration names and fields may vary based on your system version. If you need additional fields configured on your end, please let us know.

AFDS

For ADFS SAML connections, customers must provide Driver with an ADFS Federation Metadata file. This can be either an XML metadata file or a URL that points to the XML file.

You will need the following information to configure SSO:

• Callback URL: https://auth.driverai.com/login/callback

• Entity ID: urn:auth0:driverai

• Assertion Consumer Service Endpoint (Log in) URLs: https://auth.driverai.com/wsfed

• Sign-on URL: https://app.driverai.com

Google Workspace

To set up OAuth 2.0 authentication, we require the following information:

• Google Workspace Domain: Your organization's primary domain name used with Google Workspace (e.g., company.com)

• Client ID: A unique identifier assigned by Google when you register your application in the Google Cloud Console

• Client Secret: A confidential key provided by Google that helps secure the OAuth 2.0 flow between Driver and your Google Workspace

You will need the following information to configure SSO.

• Application Type: Web Application

• Authorized JavaScript origins: https://auth.driverai.com

• Authorized redirect URIs: https://auth.driverai.com/login/callback

Other SSO Systems

Reach out to work with us directly. There is a good chance that we can support your needs.