Enabling Single Sign-On (SSO)

Overview

Single sign-on (SSO) is an authentication method that allows users to access multiple applications with a single login and one set of credentials. Configuring SSO for your Practifi organization streamlines the login experience, reduces password fatigue, and centralizes authentication through your firm's preferred identity provider.

Because Practifi is built on the Salesforce platform, SSO is configured through Salesforce Setup using Salesforce's native authentication framework. This article introduces you to the key concepts, decisions, and prerequisites for enabling SSO, and points you to the Salesforce documentation that walks through each configuration in detail.

• Understanding Single Sign-On
  • Identity Providers and Service Providers
  • Supported Authentication Protocols
• Required Permissions
• Setting Up Single Sign-On
• Requiring SSO Login
• Configuring Single Logout
• Additional Resources

Understanding Single Sign-On

Before configuring SSO, it helps to understand the components involved and the decisions you'll make along the way. SSO works by establishing a trust relationship between two systems: one that verifies a user's identity, and one that grants access based on that verification.

Identity Providers and Service Providers

There are two roles in any SSO configuration:

• The identity provider is the system that authenticates the user and verifies their identity. Common identity providers include Microsoft Entra ID (formerly Azure AD), Okta, OneLogin, Ping Identity, and Google.
• The service provider is the system that trusts the identity provider's verification and grants the user access to its application.

When users log in to your Practifi org using their corporate credentials, your identity provider authenticates the user, and Practifi acts as the service provider, trusting that authentication. 

Supported Authentication Protocols

Salesforce supports two industry-standard SSO protocols:

• SAML (Security Assertion Markup Language): The most widely used protocol for enterprise SSO. SAML is well-suited to scenarios where employees log in to multiple business applications through a corporate identity provider.
• OpenID Connect: A modern authentication layer built on OAuth 2.0, often used for SSO with consumer-facing identity providers.

Salesforce also offers preconfigured authentication providers for common services such as Google, LinkedIn, and Microsoft, which can simplify setup when one of those providers is your identity source.

Required Permissions

Before beginning SSO configuration, confirm that the user completing the setup has the appropriate permissions:

• To view SSO settings: View Setup and Configuration.
• To edit SSO settings: Customize Application AND Modify All Data.

These permissions are typically held by users assigned the System Administrator profile. If the user configuring SSO does not currently hold these permissions, work with your existing administrator to grant them before proceeding.

Setting Up Single Sign-On

Because each identity provider and authentication protocol has its own configuration steps, the procedural details for setting up SSO are in Salesforce's documentation rather than in this article. We recommend using this Salesforce article to guide you through enabling SSO in your Practifi organization.

The general workflow is:

1. Confirm which identity provider your firm will use and gather the configuration details (metadata file, certificates, SAML endpoints, and so on) from your IT or identity management team.
2. Decide between SAML and OpenID Connect based on your identity provider's capabilities and your firm's standards.

3. Navigate to Salesforce Setup by clicking the gear icon in the upper right-hand corner of Practifi and selecting Setup. Use the Quick Find search bar to locate the relevant settings page (such as Single Sign-On Settings or Auth. Providers) and follow the Salesforce documentation linked below for your chosen protocol.

   

4. Verify the login flow with a test user before rolling SSO out to your full team. Confirm that the user can log in through your identity provider and is correctly redirected to Practifi.
5. Once testing is complete, communicate the new login process to your team and roll SSO out broadly.

For step-by-step configuration guidance, refer to the Salesforce Help articles linked in the Additional Resources section.

Requiring SSO Login

By default, when SSO is configured, users can log in either through your identity provider or with their Salesforce username and password. To prevent users from bypassing your SSO system, disable their ability to log in with a Salesforce username and password, so SSO is the only path into Practifi.

For instructions on how to require SSO for non-admin users, refer to the Require Users to Log In with Single Sign-On (SSO) article in Salesforce Help.

Configuring Single Logout

After you configure SSO, consider setting up single logout (SLO) as well. With SLO enabled, when a user logs out of either the identity provider or the service provider, they are logged out of both simultaneously. This improves security by ensuring sessions don't remain active in one system after the user has logged out of the other, and it saves users the step of manually logging out of every application. Refer to the Single Logout article in Salesforce Help for setup details.

Additional Resources

Salesforce maintains comprehensive documentation on SSO configuration. The following Salesforce Help articles are the authoritative source for step-by-step setup procedures:

• Single Sign-On — The top-level overview of SSO in Salesforce, with links to all related articles.
• Single Sign-On Use Cases — A guide to choosing the right configuration for your firm.
• FAQs for Single Sign-On — Frequently asked questions covering implementation and troubleshooting.