Single Sign-on (SAML2) | Google and others

Single Sign-On (SSO)  - is a technology of unified access that significantly enhances security and allows for time savings in user management across various systems and applications that employ different company commands.

The "SSO" functionality can be connected separately. For pricing and activation, you can contact us at hurma.work/en/contacts/.

The ability to manage this option by default is available to users with the "Administrator" and "HR" roles.

Benefits of usage

1. Time savings: SSO reduces the time spent on logging into systems, as users can access multiple applications and services using a single account without the need for repeated entry of login credentials.

2. Security: One of the main issues is the reuse of identical passwords across different systems, increasing the risk of data breaches. SSO allows better control of access to systems and reduces the likelihood of information loss due to weak passwords or other authentication system vulnerabilities.

3. Enhanced security and access management: With SSO, there is more centralized access management to resources, simplifying administration and enhancing system security.

Let's consider the connection using Google Workspace as an example.

Connection in HURMA

Activation of the option occurs in the "Settings" - "SSO" section.

To activate, you need to select "SAML2" and fill in the corresponding fields (taken from the admin.google.com portal), upload the certificate, and then click on the "Save" button.

Connection to Google

To connect the option on the admin.google.com portal, you need to go to the "Apps" section, then "Web and mobile apps," and click on "Add custom SAML app."

After that, you need to:

1. fill in the "App name" field (optionally add a description and an application icon) and save it;

2. in the next block, you need to upload the metadata file and then upload it to HURMA;

3. in the "Service provider details" form, you need to add information for the "ACS URL" and "Entity ID" fields from the corresponding fields in HURMA - "Reply URL (Assertion Consumer Service URL)" and "Sign on URL";

4. then, in the next form, set the specified correspondences for the attributes and save the settings.

5. the final step is to enable the application in the "User access" section.

Authorization in HURMA

After connecting SSO and users navigating to the login page, they will only have access to authorization through SSO.

If a user logging into HURMA is an existing employee, their profile in HURMA remains unchanged, while their account in HURMA is linked to their Google account.

If a user logging into HURMA is a new employee and does not yet exist in the system, a new profile with the role of "Employee" is created in HURMA.