SSO Integration- How it works

What is SSO?

Single sign-on (SSO) is an authentication method that enables users to authenticate securely with multiple applications and websites by using just one set of credentials. This single authentication point increases security by:

Reducing password fatigue. Remembering one password instead of many makes users’ lives easier. As a tangential benefit, it gives users greater incentive to come up with strong passwords.
Simplifying username and password management. When personnel changes occur, SSO reduces both IT effort and opportunities for mistakes when removing user privileges from network systems.
Improving identity protection. With SSO, companies can strengthen identity security with techniques such as two-factor authentication (2FA) and multifactor authentication (MFA).
Increasing speed where it is most needed. In settings such as hospitals, defense industries, and emergency services, where large numbers of people and departments demand rapid and unfettered access to the same applications, SSO is especially helpful. In such cases, preventing errors and malware intrusion can be the literal difference between life and death.
Relieving help desk workloads. Fewer users calling for help with lost passwords saves money and improves security.
Reducing security risks and vulnerabilities between customers, vendors, and partner entities.

With Sfax SSO, your users will be able to login securely to Sfax with their existing company credentials. They won’t have to remember a unique log in Sfax, leading to a better, more secure user experience by reducing the likelihood that they lock themselves out of their account.

Release Notes — April 30, 2021

For this release, SSO support is only for the Sfax web portal.
The implementation of SSO in Sfax is SAML based; each end user application must be able to accept and respond to a SAML assertion.

Useful Acronyms

Acronym	Description
2FA	Two-factor authentic
IdP	Identity Provider
MFA	Multifactor authentication
SAML	Security Assertion Markup Language
SSO	Single Sign On

Activate SSO on Your Sfax Account

To enable SSO, the primary account administrator must contact their Sfax Sales Rep or their Sfax Account Manager. Once SSO is activated, the primary account administrator will then configure SSO for their users via the Sfax Admin Portal.

Some things to keep in mind when activating SSO on your Sfax account:

SSO management permissions are granted to Admins, who in turn grant SSO permissions to their selected users.
SSO management permissions can be granted to additional Admins by Customer Service.
The username for any Sfax SSO user MUST be the SSO email address or else they will not be able to log in via SSO. For example, usernames such as John.Doe cannot be used to log in via SSO because the username has to match the exact SSO email address of the SSO user, including the correct case sensitivity. This means that only a username like john.doe@company.com would work.

Configure SSO

Once activated, follow these steps to configure SSO:

1. Your Sfax Administrator must log into the Sfax Admin portal.

2. In the Settings > Manage Integrations > Single Sign-on page, the Admin provides the following information in the Manage SSO table:

NOTE: This information — except for the SSO State field — is obtained from your Identity Provider when they set up a SAML connection to SFax. Once this information is input into Sfax, the corresponding rows in the Sfax SSO Settings section will be generated; the Sfax Administrator must share the information in Sfax SSO Settings with the Identity Provider being used.

Field	Description
SSO State	This value denotes if SSO is Enabled or Disabled for this Sfax account. If Disabled, no functionality should be changed for the customer/user. If Enabled, users enabled for SSO are redirected to the SSO URL indicated in the Manage SSO window.
IdP Name	The name of your Identity Provider. Any IDP provider that supports SAML may be used.
Single Sign-on URL	Enter the SSO provider’s sign-on URL in this field.
Log Out URL	Enter the SSO provider’s log out URL in this field.
X.509 Certificate	Enter the security certificate provided by your IdP.

3. Click Update to save new field values. When updated, the Sfax system populates the following fields. Provide this information to your IdP to complete the SSO configuration.

Field	Description
Entity ID	The application name. For example, https://app.sfaxme.com/
ACS Endpoint	The endpoint where all communication between the IdP and Sfax happens for login
Log Out Endpoint	The endpoint where all communication between the IdP and Sfax happens for logout
Public Key	The Sfax SSO security certificate used to encrypt the SAML message between Sfax and the IdP.

4. When your IdP has Sfax SSO Settings, click Enable SSO to activate single sign-on.

Configure Your Users for SSO Login

To configure your users to use their SSO login, go to the Manage SSO Users table at the bottom of the page. Use the Search field to look up a username if needed.

Once the user record you are looking for appears in the table, click the value in the Action field (Restrict or Unrestrict) to limit that user to only using SSO login credentials. Depending on the value shown in the Action field, the Restricted to SSO field will either state Yes (Restricted to SSO) or No (Not Restricted to SSO).

Enforcing SSO

To enforce SSO, go to the Settings > Manage Integrations > Single Sign On via SAML page and click Activate. (If CS or Sales activates your account, then this button will say Deactivate, indicating that SSO has been enforced.)

NOTE: To fully use SSO both this activation point and the Enable SSO feature in the Settings > Manage Integrations > Single Sign-on page must be toggled on.

At this point, if activated, all unrestricted users may log into the account via their usernames and passwords—OR via SSO. Restricted users will only be able to use SSO. This gives organizations flexibility when migrating employees to SSO in stages.

This completes your SSO setup.

When activated, SSO users must log on using this URL: https://app.sfaxme.com/ssoAppLogin.aspx. In addition to this URL, if your IdP has a user portal users may log in from there as well.

When SSO is deactivated, or when individual users are not set to use SSO, users must log on using this URL: https://app.sfaxme.com/.

Deactivating SSO

To disable the option of users logging into the Sfax account:

Via SSO Only: In the Settings > Manage Integrations > Single Sign-on page, click Disable SSO. All users return to having the option to log in via their username and password.
Via SSO: In the Settings > Manage Integrations page, click Deactivate in the Single Sign on via SAML pane. This removes all information in the pane, the Enforce SSO button auto-toggles OFF—and all users return to only using their usernames and passwords to log into the account.

Using Session Expiration Parameters

If the IdP uses a session expiration parameter, then Sfax users that signed in using SSO and that passed in a session expiration parameter may encounter a session timer that indicates the time left in a given authorized session.

The pop-up should provide a countdown of the remaining seconds, along with two options:

Logout - this logs the customer out of the current session.
Continue Session - this will refresh the current login session and reset the timer.
If no action is taken and the timer reaches zero, the user will be logged out of the Sfax web portal.

Typical SSO Use Cases

The following use cases from the perspective of a healthcare service provider or payer with multiple fax numbers that may be assigned to individuals or departments.

Use Case One – Fax Number Assigned to Individuals

Folks who have their own fax number should be able to use their company SSO credentials for authentication purposes and:

Viewing the inbound faxes received by their fax number(s)
Viewing sent faxes (if stored)
Viewing sent/received fax logs
Using the application to send a fax
Accessing and updating account information

Use Case Two – Fax Number Assigned to a Department or Group

Any employee who belongs to a Department or Group should be able to use their company SSO credentials for authentication purposes and:

Viewing the inbound faxes received by their fax number(s)
Viewing sent faxes (if stored)
Viewing sent/received fax logs
Using the application to send a fax

NOTE: Since the fax number is shared, employees should not have access to modify account level information. When a department adds or removes an employee, SSO provisioning is not automatic; the Admin still needs to create a user profile and assign that user to the numbers they need.

Use Case Three – As a Healthcare Service Provider or Payer, My Service Desk Is the Administrator for Third-party Applications, Including Fax (PPD, HealthFirst)

Two employees will be super-users and should have the ability to log into the administrator applications for Sfax using their SSO credentials and have full access.
Group admins should be able to use their SSO credentials to log in, and only have access to their group capabilities.

If you have any questions about Sfax SSO support, feel free to send us an email at support@sfax.com, or call our support line at 1-877-493-1015.