Definition
Single Sign-On (SSO) is a login system that allows users to access multiple applications or services with one set of credentials (like one username and password).
You log in once using your company account, and you can then access:
Email (e.g., Outlook, Gmail)
File storage (e.g., Google Drive or OneDrive)
Project tools (e.g., Prewave, Jira, Slack)
without having to log in again for each service separately.
Benefits
Faster login experience
Fewer passwords to remember
Better security through centralized control (IT can manage access in one place)
Workflow
We exchange the Metadata XML (either as file or URL) so that we both have each other's information.
We create the registration ID for your customer ID and store that information in our database. This step also creates our Metadata.
We send our Metadata XML file to you (and receive yours). Generally, we first need your metadata to in return generate ours.
We import your metadata in our SAML service, you import ours in yours.
You test the login.
We turn off the password login for your organization.
Please see below the SSO information for your IT department:
The Prewave' SSO solution uses SAMLv2.
It is only used for authentication (as replacement for a password), user accounts need to be created via Prewave’s Customer Success Team or via the user management functionalities from within the Prewave application.
SSO can only be rolled out for the whole organization, not per individual users.
The following features are deactivated and not available for any users of a customer using SSO:
Reset a password (using the “Forget password” function)
Login with a password (circumventing the SSO)
The user roles can not be changed via SSO, roles and permission settings are still handled by Prewave via the Customer Success Team or the user management feature from within the Prewave application.
We currently only support email addresses as “NameID” format. The corresponding SAML format identifier is urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Prewave provides a SAML metadata XML specification and requires such specification either via URL (preferred) or as file from the customer.
Example for this specification file: https://docs.oracle.com/cd/E19636-01/819-7664/6n9ji525r/index.html
All information about EntityID, claims, formats etc. is in the XML. Please use the corresponding XML import function of your SSO system. (Tested with Azure AD, ADFS on premise, Keycloak, Okta). If you use ADFS on premise, you might want to read our ADFS implementation notes.
Some implementations (like Azure Entra ID) need the “Sign on URL” which can be set to https://www.prewave.com/login
As a first step we test the SSO integration on our staging environment before we can start the integration live on production. To do that, we would need your XML file with SAML provider metadata so that we can start the initial process.
Please reach out to your dedicated Customer Success Manager if you want to implement SSO.
Frequently Asked Questions (FAQ)
Do you support other SSO protocols besides SAML2?
Do you support other SSO protocols besides SAML2?
At the moment, Prewave supports SAML 2.0 only. Support for other protocols (e.g., OpenID Connect or OAuth 2.0) may be considered in the future based on demand.
Can we test SSO before going live?
Can we test SSO before going live?
Yes. We always test the SSO integration in our staging environment first, using your SAML metadata, before switching it on in production.
Can SSO be enabled only for some users?
Can SSO be enabled only for some users?
No. SSO must be enabled for the entire organization. We do not support partial rollouts at this time.
What if our users forget their company password?
What if our users forget their company password?
Since SSO replaces Prewave passwords, users must follow your internal IT process for password recovery through your identity provider (e.g., Azure AD, Okta).
Can users still log in with a Prewave password after SSO is enabled?
Can users still log in with a Prewave password after SSO is enabled?
No. Once SSO is activated, the password login is disabled for all users. They must use their organization’s SSO login.
Can we use SSO for account provisioning?
Can we use SSO for account provisioning?
No. SSO is used for authentication only. User accounts must still be created by Prewave’s Customer Success Team or via the user management functionality in the Prewave application.
Do you support Just-In-Time (JIT) provisioning?
Do you support Just-In-Time (JIT) provisioning?
Currently, Prewave does not support JIT provisioning. All users must be pre-created in the system.
What happens if our SSO provider is down?
What happens if our SSO provider is down?
If your identity provider is unavailable, your users won’t be able to log in. We recommend ensuring high availability for your IdP and having an internal contingency plan.