iDocuments Single Sign On
First published on: 01/31/2025/10:36 am
Introduction
This document provides technical information for customers of the Vision33 iDocuments V5 Public Cloud (multi-tenant environment).
This document's information is updated regularly, so please ensure you're referring to the most up-to-date version.
This document supersedes all other previous technical specifications and versions of this document or the technical information provided, whether written or verbal.
Overview
This document reviews the iDocuments single sign-on (SSO) process.
Configuration Pre-Requisites
The SSO setup option is available to local administrators and needs the below information from the client to link to their tenant:
- Tenant ID
- Application ID
- Client secret
When configuring this, the return URL should be set to the ./Login.aspx page of the relevant iDocuments cloud environment.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy8zODI4MS80ODk1MS9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS9pbWFnZSgxNCkucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzQ5MzIwMzc0fX19XX0_&Signature=pK1e3fQf1-lMqXSrnawR4cpVKW6ngLtzR1d8BzlFxffvO08DiUvGz0f22EaxrcuSPyH6sv9rOBptqTQLt3ztlH8lcBxYKN9~LfrxDle0X7xYol~pf7pH3Re~-wTVhStaQHfZctuH~M7SYh8onWXt4KVgbWwVm952fmdGSJ-5X97F-g3SFh-KN2dwdTHLlnwDBw9nPG~FC-UL~kADBAefr9j71oFq-w775-JmwQJx1iedebFlQ9aC~mF9gMP5Z~mA7qVyVNJ5Ci7~1B4DtZk~ff0PzaVrbms8w9xwlkxhGSD6WekDX72dXbw9STC2SEDSKZ8-k1oeEwGsM0zPpCQONQ__&Key-Pair-Id=K2TK3EG287XSFC)
A company setting 'Enable SSO' also determines whether SSO is in use.
Users should be configured with a default company, as only the default is used for SSO.
Access
Initial Login - Registration
To determine suitability for SSO, the user must first use basic authentication to register themselves and locations for future logins.
Any login to iDocuments checks the default company and, if configured for SSO, records the username, browser, and machine/IP address and stores information in the browser cookie/cache.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy8zODI4MS80ODk1MS9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS9pbWFnZSgxNykucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzQ5MzIwMzc0fX19XX0_&Signature=nMtFOjfTJ7FmVFGK5mDCNXoqISZw4xv4Gu17bWo9RIhlJ7~bZK4VWpbQ03iR2HxCNxNq6~UyWPqJLMssa9xsu5pjGwFBO4aXb5PK9RnFnb9ILonwcQ-G4ZlMFfJKCYvndpoF7T8DG6kjTpMBG3DIPHFVyLPdj1ypjIOuD8N2poOQ~xIMAlZgLWHHSe~NU-MBve92-YUauSk7BB4AL9ds-10Wu5TQPw5WSeM1O8OrKCbTAq9QFkXOeINBrRFA2DtiJYStPpI~jmaggL2Qf1hqHb7xgcwOmtYs33Ijt47htK0GdLlfKjP4wLbB-sKgWfmGNUGJYwvHSzs8p-ipzZqZlg__&Key-Pair-Id=K2TK3EG287XSFC)
Single Sign-On - Authentication
The system will then confirm the user is within a company configured for SSO, and the user will be redirected to authenticate.
Selecting this option will direct the user to authenticate with their Microsoft account.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy8zODI4MS80ODk1MS9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS9pbWFnZSgxNSkucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzQ5MzIwMzc0fX19XX0_&Signature=i6tZRaCfyCk9T63G96PD1W0rFp2pozgh9RjKQR74Swuj~MV~nu6tJkdTtCNhimPrvAjhD68367fViyMNopZdjR6N6Zdl2~Ho8C~bOpiP6~DnZ3F00ngOVF3UI4rehq2u4ge7opO7ZlN1VGf-vlPO8Md6zOMQLdsjmZCqZ2EYXxHXZaMEMcRIopzBlCcEyqZ0DJOum7I9Iz7Ewfi7hFxE~3U6UDQ2Mx4qRmQU1Dw6Fz77muvzmCFyxn2nRaahILqzb~p3FDN9c5rn4t62gkbHONOuf-1prHk9cjwY6ZTgSCrEalsMXRb39WZtQ9NTs6t4KwtRCF-rv0evH5sl5Jm6fA__&Key-Pair-Id=K2TK3EG287XSFC)
Once authenticated, the user will be logged into iDocuments and a login token that iDocuments will use going forward.
Single Sign-on - Authentication
For further logins, iDocuments won't show the login screen and will redirect to the home page URL.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy8zODI4MS80ODk1MS9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS9pbWFnZSg4OCkucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzQ5MzIwMzc0fX19XX0_&Signature=eujwAlDrhGwdTYwjsucL0B9wc5IjP7QyROVgYb0oC6L3mtb83zF4HUgh1jrErcU7yqh0PH9qlUpVvcb-sgFK33jPfYYfF3TAaDhmdBqjUadgKlmY1XBro-e3kadf2UU8M-JbNsnE0xn~zcYiQbNx0sjrbOlCNAEKJp6m~MG4oq3I0-GoU1SP9VyA9E5~yd0YuPk4xXR~i8y7DBvNAb8g~9UU-RiOx-tSDk3Tl-lWUz6imj8x5CIUgeEjUMn4iKoy~hogPY9ui-HhWNxKKr~00ACgeocpKDJ1XIdief-EzziBWIKn8AKFuNB9IwjkDhdMIPiy4hP1AfnDEKpPidg31w__&Key-Pair-Id=K2TK3EG287XSFC)
Note: Any logout will take you back to the login screen, where you'll see the option to ‘Sign In With Microsoft’. You can re-enter credentials if needed. This is not required, as directing you to the iDocuments home page via a link will still automatically sign you in.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy8zODI4MS80ODk1MS9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS9pbWFnZSgxNikucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzQ5MzIwMzc0fX19XX0_&Signature=D9KNO8bYJgWyyLEQkSW6~SsCNlrrkts9-aTT5PkIfVwpXiSfj5LuR13xtNuohav0T5AZNw33h3DNvSVAttDpCSCHJeqM8i1TUirWm2iKKb-NWwi1OnR66V9Slp3~fn2nbrYkbVeCeTCrCPUQ9ILZRGZg8ccGrCYayzJGxuLgVJqUyNDPRLRaeJwz6pLsPGRFmid-IavPzuulM2RSq67ttmeW6dtsKsKORHugILS-a10rB1HiSQJEQ9a~s33RGXD5XsdW50lkUFsxFdSTqkx3DYiHAAnpcGDo2YBnufMIr8o1rx76TtdV63DLp2VhZwdTfhrpjjc3oDUMmk6cAr7Cbw__&Key-Pair-Id=K2TK3EG287XSFC)
Notes
Assumptions
- The standard login page is still available, but once a user is logged in, iDocuments will remember that SSO is required.
- This login is also available (and useful for testing purposes) when a user uses the logout option.
- The user must clear the cache to remove the token held to identify the IP/machine vs. the user.
- This login is also available (and useful for testing purposes) when a user uses the logout option.
- If a user changes IP/machine location or browser, or a Microsoft token refresh doesn't occur (because of a changed Microsoft password, for example), a login registration is required before SSO can be enabled.
- The iDocuments mobile application and email configurations are configured separately, so do not use SSO.
- Duplicate email addresses in iDocuments aren't supported, as the single sign-on process uses the email against the first record it finds to determine the user.
- Multi-company clients should set all companies to use SSO, as it will be required when switching between companies.
|
Last modified: 05/16/2025/4:48 pm |