SSO Production Documentation
Single Sign-On Overview
The following diagram demonstrates the simplified authorization flow (login) when identity federation is used (authorization protocol-specific details are omitted for brevity):
Single Sign-On Setup
Step 1
Please send us the following information which will help us to set up your SSO configurations on Drova platform. Please include all fields:
Email Domains & SSO URL
|
Parameter |
Value |
Description |
|
Email domains |
a list email domains |
The email domain(s) of users that should authenticated by configured Identity Provider |
|
SSO URL |
URL |
The URL at the Identity Provider to which SAML authentication requests should be sent. This is often called a Single Sign-on (SSO) URL |
|
Logout URL |
URL |
The URL at the Identity Provider to which SAML logout requests should be sent. This is often called a logout URL, a global logout URL or single logout URL |
|
Signing certificate |
.pem or .cer format |
The Identity Provider will digitally sign authentication assertions and the signing certificate is needed by the Service Provider to validate the signature of the signed assertions. |
SAML token mapping information
|
Parameter |
Is Required |
SAML Value |
Description |
|
Name ID |
yes |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier |
Identifier of a user in Identity Provider. At the moment, Dro requires email address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) as NameID format |
|
|
yes |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
User's email address |
|
FirstName |
yes |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
User's first name |
|
LastName |
yes |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
User's last name |
|
FullName |
optional |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name OR http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
User's full name |
Step 2
Once your SSO account will be set up on Drova side (following the information that you will send us in the previous step), we will provide information about what the Drova platform expects to receive as a result of successful authorization (Assertion Consumer Service URL and EntityID).
|
Parameter |
Value |
Description |
|
Assertion Consumer Service URL / Application Callback URL |
|
The URL where the Identity Provider needs to send the SAML assertions after it has authenticated a user. Sso-Connection-Id varies per customer. The final value is know after initial setup in Identity |
|
EntityID (Audience) |
|
The value identifies the audience (service providers) to whom SAML assertion is issued for. Sso-Connection-Id varies per customer. The final value is know after initial setup in Identity |
|
Single Logout Service URL |
|
The Single Logout Service URL, where SAML logout requests and/or responses from the Identity Provider must be sent. When configuring the Identity Provider, make sure that SAML Logout Requests sent to the Service Provider are signed. |
Step 3
Once Steps 1 to 2 are done, we can schedule a testing session to make sure SSO was configured properly and go live. We suggest you set up a test email domain for testing purposes. For example, @test.awesomecorp.com
For any help throughout the process, please reach out to Drova support
Related Articles
SSO Integration Guideline for Okta
Step 1: Create and configure SAML2 App on Okta 1.1 Create Application on Okta 1.2 Configure SAML Single sign-on URL: Use this placeholder value https://auth.drova.com/login/callback?connection=placeholder-will-update-later Drova will provide the ...SSO Integration Guideline For Microsoft Entra ID
SSO Integration Guideline For Microsoft Entra ID (formerly Azure Active Directory) Step 1: Setup Microsoft Entra ID 1.1 Login to Azure Portal and go to Microsoft Entra ID > Enterprise Applications 1.2 Create SAML application Click Create New ...SSO FAQ
General Q. Can SSO be used in combination with a normal password login? A. No. Our SSO system means that all users for a configured email domain will be required to use SSO to login. Q. Can I test SSO login before enabling? A. Drova can enable SSO on ...Identity Provider Information for SSO
Contact support@drova.com and request that your organisation can log-in to the Drova Platform via SSO. Support will request the Identity Provider Information; 3. Support will need the following Service Provider Information to be provided; 4. Once all ...Logging in with Single Sign-On (SSO)
Are you looking to add a new Position user to the system ie. a user requiring access to the full Drova GRC system who may own, be responsible for, manage record items, or be assigned tasks to complete? The system provides the capability to add new ...