Onboarding with SSO
For companies using single sign-on (SSO) with Bravura Safe, user accounts can be provisioned 'just in time' (in other words, while they are joining an enterprise Team).
This feature may be turned on before or after onboarding. In either case:
Implement SAML 2.0 configuration
Create an enterprise Team identifier
Enable single sign-on
Configure a service provider
(Optional) Require single sign-on authentication
If your company is using enterprise SSO and has multi-factor authentication enforced through your Identity Provider (IdP), Bravura Security recommends not to additionally enforce enterprise two-step login within Bravura Safe. This will help streamline the login process for users.
Individual member two-step login will still apply if the user has configured it, unless the Bypass personal two-step login when using SSO policy is enabled (which would skip this step).
See Configuring login with SSO for configuration details.
The user experience when joining an enterprise Team differs based on whether:
They receive an invitation
They have existing Bravura Safe account
The user experience when SSO is activated on the Enterprise Team before users are invited to the Enterprise Team:
User receives email to join the Enterprise Team;
OR
Is provided with a link to open from a web browser, desktop, or mobile application.
User clicks the link and must tap Log in (instead of the typical Create account option).
Caution
This can be tricky for user education. Selecting the Create account option gets users stuck in a loop that is unintuitive to get out of and may result in help desk calls.
User enters in their email address and selects the option for Enterprise single sign-on.
User is prompted to enter in their SSO identifier.
This is another step where user education is important and bookmarking the login page with SSO identifier included as a query string is recommended so users do not have to enter it each time.
User is redirected to their chosen Identity Provider (IDP) where they authenticate as normal to that provider.
This should include that IdPs standard multi-factor authentication.
The user is prompted to create a master password for their Bravura Safe account and successfully logs in. This login triggers acceptance of the invitation to join the Enterprise Team.
Team owner receives email that the user has accepted the invitation. The Team owner logs into Bravura Safe and confirms the user.
User receives email their access has been confirmed. They follow the email link to log into Bravura Safe.
The login process includes entering their email address, selecting Enterprise single sign-on, entering SSO identifier, authenticating to the IDP provider and entering in their Master password.
The "Require single sign-on authentication“ policy must be enabled to prevent users from signing in using only “Master password”.
The user is now logged in to Bravura Safe and can see all Enterprise Team items shared with them.
See the instructions for users to join an Enterprise Team and create an account with SSO.
The user experience when SSO is activated on the Enterprise Team after users have created their Bravura Safe accounts and joined the Enterprise Team:
During onboarding, the user experience is the same as manual onboarding:
After onboarding:
The product administrator activates SSO authentication on the Enterprise Team and asks users to link their existing Bravura Safe account to SSO to use it for authentication.
This requires user education. The task itself is not difficult, but getting everyone to do it would take administrative effort.
To link their account to SSO, the user:
Logs in to Bravura Safe to the Enterprise Team.
Selects Options > Link SSO.
Is directed to login to their IdP and their account is linked upon successful IdP authentication.
Subsequent logins to Bravura Safe would allow users to use Enterprise Single Sign-on.
See the instructions for users to link their Bravura Safe accounts to SSO.