Configuring Single Sign-On authentication
Single Sign-On authentication is only supported for web stations. When starting up a station, users need to authenticate. Besides authenticating with their ABBYY FlexiCapture user name and password, users can also be authenticated through an external identity provider (e.g. Azure Active Directory integrated with your corporate Active Directory).
To use SSO authentication, you should first create and set up an application in the identity provider (for more details, see the Single Sign-On authentication section in the System Administrator’s Guide). After that you should set up the required parameters in ABBYY FlexiCapture. To do this:
- Launch the Administration and Monitoring Console.
Important! Only the ABBYY FlexiCapture administrator can add and configure Single Sign-On on the default tenant. On other tenants, Single Sign-On can be configured by tenant administrators.
- Go to Settings -> Single Sign-On.
- Click Add Configuration.
- In the dialog box that opens, specify the required parameters:
- Name - the name of the external identity provider that will be contacted when the user clicks the Log in with… button.
- Reference - the URL that will be used to access the server of the external identity provider.
- Upload Image File - the path to the image that will be used for the new button (images in *.svg, *.jpg, and *.png formats are supported).
- Upload Certificate File - the path to the public certificate.
- Click OK. The new configuration will be added to the list. If required, you can change it by clicking Edit.
Note: You can specify multiple identity providers.
As a result, the following button will appear on the station's login page: Log in with [IdP Name].
To be able to use ABBYY FlexiCapture, users should have appropriate permissions. For more information about accounts and permissions, see Managing user accounts and permissions.
Assigning groups by SSO
You can assign groups using SSO. This means that you can create groups in ABBYY FlexiCapture based on the groups in IDP. You can both add users to certain groups and update groups after they are changed in IDP.
Important! Only the tenant administrator can assign groups. For the default tenant, only the ABBYY FlexiCapture administrator can change this setting.
To assign groups via SSO go to Settings -> Single Sign-On and select the Assign groups by SSO option. After enabling this option, when creating a new group, specify the GUID of the corresponding IDP group in the External ID field. As a result, users from the IDP group with the specified External ID will be added to the ABBYY FlexiCapture group automatically when logging into FlexiCapture via SSO.
SSO-only authentication mode
In high-security environments, access to all of the corporate resources must be controlled from a central location in order to avoid human errors when granting access permissions. For this purpose, you can use SSO-only authentication mode.
Important! SSO-only authentication can only be enabled for non-default tenants.
To enable SSO-only authentication go to Settings -> Single Sign-On and select SSO-only authentication mode option. As a result, only those users will be able to access the system who have been authenticated through an external identity provider. Creating and importing users in the Administration and Monitoring Console will be automatically disabled.
2/20/2023 7:40:03 AM