How do I set up Single Sign-On (SSO)?

Single Sign-On (SSO) enables anyone at your company with a currently valid company email address to access Event Lists, Briefs and more, all without needing a Circa account. By enabling SSO for your Circa Org, you can:

  1. Restrict visibility of published resources, like Event Calendars, Briefs and Request Forms, to only your current company employees
  2. Enable your Org Members to easily sign in and out of Circa with their regular company email and password, so that they don't have to set or remember another password for Circa.

SSO runs on a technical standard (SAML) that be implemented on its own or through a vendor, such as Okta.com.

Your company's IT admin will need to set up SSO (see Technical Instructions below). The process is very easy and straightforward, but does require IT admin permissions.


The SSO experience

For employees visiting a published resource

When your Org has SSO enabled and a company employee visits the URL of a published resource  and they are already signed in to your company's network, they will be automatically authenticated, so there is no further action necessary on their part. The URL of the published resource will simply load for them directly and they will probably not even be aware that they have been authenticated.

When a company employee visits the URL of a published resource but they are not currently signed in to your company's network, they will be automatically redirected to your company's SSO sign-in page.

An example SSO sign-in page, powered by Okta.

In this way, the Org Member doesn't need to have an Account or password for Circa. They can simply use their regular company email address and password.

For Org Members signing into Circa

When a Member of your Org visits Circa and they are not currently signed in, they will be asked to provide their email address. (They can also Sign in with Google, which is another form of SSO available to G Suite customers.)

If SSO is enabled for your Org, Circa will redirect the Member to sign in at your company's SSO sign-in page. Next they will be redirected back to Circa, where they will have access to your Org, according to their Permissions.

In this way, the Org Member doesn't need to have a password for Circa. They can simply use their regular company email address and password.


Technical Setup Instructions

The following details should be provided to your IT manager in charge of SSO.

In the SSO setup, your company is the Identity Provider, while Circa is the Service Provider.

The necessary Database Table saml_identity_providers:

  • org_id
  • email_domain
  • target_url
  • certificate

As the Identity Provider, please configure your server with:

Then, please contact us with your:

  • Identity Provider Certificate (.pem) → certificate
  • Identity Provider Sign In URL → target_url

We will create a record in saml_identity_providers table for your domain and Org. Allow one business day for us to proceed and your team will be able to use SSO. We will notify you immediately when we have made the change.


How does the flow work?

  1. User fills their company email in first step of sign in.
  2. If the emails domain matches with any of the records in "saml_identity_providers" table additional "Sign in with {{Org Name}}" button is shown above all sign in options in the next step.
  3. When clicked on that button the user is redirected to "target_url".
  4. Identify Provider checks the users identity either by already existing cookie or asking them to sign in via internal credentials.
  5. Redirects to our Assertion Consumer Service URL along with encrypted SAML response.
  6. Service Provider checks that response is correct and signs the user in.

Was this article helpful?