SSO Introduction and Setup
xAssets v7 includes a flexible authentication framework that connects to virtually any hosted single sign-on (SSO) service. SSO allows users to log into xAssets using their existing corporate identity, eliminating the need for a separate xAssets password and providing a seamless login experience.
This page introduces the SSO framework and explains the steps required to enable SSO. Provider-specific configuration is covered in the subsequent pages.
Supported Providers
xAssets has pre-built integrations for the following identity providers:
| Provider | Protocol | Page |
|---|---|---|
| Microsoft Azure AD (Entra ID) | OAuth2 / OIDC | SSO with Azure |
| OKTA | OAuth2 / OIDC (PKCE) | SSO with OKTA |
| OneLogin | OAuth2 / OIDC (PKCE) | SSO with OneLogin |
| Duo Security -- Generic OIDC | OIDC | SSO with Duo Option 1 |
| Duo Security -- Web API | Custom | SSO with Duo Option 2 |
| Any SAML provider | SAML 2.0 | See SAML section below |
Additional SSO providers can be supported through custom authentication scripts. Contact xAssets consulting for custom SSO requirements.
Prerequisites
Before enabling SSO, you need:
- An account with the chosen identity provider (Azure AD, OKTA, etc.)
- Administrator access to the identity provider to create application registrations
- Configuration-level access to xAssets to change settings and create credential packs
- The xAssets Batch Service running (for auto-provisioning of new SSO users)
Enabling SSO
Follow these steps to enable SSO:
Step 1: Set the Authentication Provider
- Log in to xAssets as a configuration-level user
- Navigate to Admin > Settings
- Set the AUTHENTICATIONID setting to the chosen provider (e.g., "Azure AD", "OKTA", "DUO GENERIC"). Values of 3 or higher enable SSO; lower values disable it.
Step 2: Create the SSOADMIN Account
- Create a user account called SSOADMIN using the normal user creation dialog
- Make SSOADMIN a member of the Admins user group
- This account cannot log in directly -- it is used by the system to create internal records for new SSO users when they log in for the first time
Warning: The SSOADMIN account must exist and be in the Admins group before any SSO user attempts to log in. If it is missing, auto-provisioning of new SSO users will fail silently -- the user will see a login error with no indication of the cause.
Step 3: Optional -- Grant SQL Server Permissions to SSOADMIN
If the SSOADMIN user has permission to create accounts in SQL Server, new SSO users will be provisioned immediately during their first login. If this permission is not granted, the Batch Processor creates the internal accounts instead, which adds 1 to 10 seconds to each first-time login.
Step 4: Configure the Identity Provider
Follow the provider-specific instructions in this chapter to create the application registration and configure redirect URIs, scopes, and permissions.
Step 5: Create a Credential Pack
Create a credential pack in xAssets that stores the connection details for the identity provider. The credential pack name, fields, and values are specific to each provider -- see the provider pages for details.
Step 6: Test the Login
- Open a new browser window (or an incognito/private window)
- Navigate to your xAssets URL
- The system should redirect to the identity provider's login page
- After successful authentication, you should be returned to xAssets and logged in
SAML Providers
xAssets supports SAML 2.0 identity providers, though OAuth2/OIDC providers are preferred for new deployments. SAML support is available for environments where SAML is the only option.
To configure SAML SSO:
- Create a credential pack called SAML_SSO with the following values:
| Field | Value |
|---|---|
| Domain | The IdP SSO URL (e.g., https://login.microsoftonline.com/{tenant}/saml2) |
| Username (Client ID) | Your SP Entity ID / Audience URI |
| Password (Secret) | The X.509 signing certificate from the Identity Provider (base64-encoded, without the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers) |
- Log in as a configuration-level user and set the AuthenticationType SpecialOption to
SAML - Test the login in a new browser window
Logging In Without SSO
When SSO is enabled, you can bypass it for troubleshooting or administrator access by adding ?logondirect=direct to the URL:
https://mycompany.hosted.xassets.net/a.aspx?logondirect=direct
This is useful when:
- The SSO provider is unavailable
- You need to troubleshoot SSO configuration issues
- You need to access xAssets with a local administrator account
Note: Regular SSO users do not know their xAssets internal password -- it is an auto-generated encrypted value. Only users whose passwords were explicitly set (such as admin accounts created before SSO was enabled) can use this bypass method.
Related Articles
- Preparation — the settings and scripts that control SSO
- Maintaining User Identities — how user records work with SSO
- Azure User Groups — mapping Azure AD groups to xAssets user groups
- Troubleshooting — diagnosing SSO login failures