Registration

Single Sign on Settings

-     Single Sign on setting is added in Add/Edit Account > Single Sign On tab

-     Users can select either oAuth or SAML as Single Sign On method.

-     SAML Settings

When user select SAML, below settings will be required-

§ Entity ID: This requires communicating with tenant app.

§ User can enable disable Single Sign on for specific facility

§ Landing Page URL: User can enter account name in the text box to create custom landing page URL.
Landing page URL is displayed in the form 'https://www.escttest.com/LandingPageURL'

     Landing Page URL:  User can copy the Login URL to login to ES Optimizer/Survey Optimizer by clicking on provided copy button .

§ Tenant ID: Tenant ID for the facility

If all facilities use the same tenant ID, then a single login URL will be used for that account, else each facility will have a different login URL.

 

-    
oAuth Settings

When user select oAuth, below settings will be required-

§ Landing Page URL: User can enter account name in the text box to create custom landing page URL.
Landing page URL is displayed in the form 'https://www.escttest.com/LandingPageURL'

§ Landing Page URL:  User can copy the Login URL to login to ES Optimizer/Survey Optimizer by clicking on provided copy button .

§ If all facilities use the same tenant ID, then single login URL will be used for that account, else each facility will have different login URL.

 

      -       Based on the auth method selection, user can login with SAML or oAuth.

 

Exclusive SSO

-     To enable SSO exclusive “SSO Exclusive” checkbox need to checked.

-     When SSO exclusive then admin user needs to add allowable IPs so that user cannot access the application from outside the IP range.

 

Web changes (ES/Survey Optimizer)

ES Optimizer

-   When oAuth/SAML is enabled, user will access ES/Survey Optimizer using custom landing page (format: https://www.escttest.com/LandingPageURL)

 

-   If SSO exclusive is enabled, then there will be no option to enter username/password.

-   User will select the app and click on “Login with SSO” button.

-   Based on oAuth/SAML setting, user will be logged-in to application using oAuth/SAML.

 

 

 

 

-   When user clicks on Login with SSO button and auth setting is SAML then, following screen appears –

 

-   After successful login using SAML with SSO, claim information for the user are received from Active directory, once user is authenticated user’s permissions are fetched from ES Optimizer and user is redirected to the home screen.

 

 

Exclusive SSO + SAML/oAuth

 

ES Optimizer -

1.  When user access ES Optimizer from valid/invalid SSO Exclusive IP range and SSO exclusive is enabled for the account then, “Login with SSO” button along with app selection drop down is shown to the user on Login page.

 

refer below screenshot-

 

2.  After login,

- If user having multi facility access, then facility selection drop down is shown to user before entering into the application.

- If user having single facility access, user can enter into the application.

 

-   When SSO exclusive is enabled and if user access the site from invalid IP, then he can’t access the application-

 

SSO Exclusive - Forgot Password

If SSO exclusive is enabled, then the user won’t be able to retrieve ES Optimizer password. If user tries to use forgot password feature in case of SSO exclusive, then following prompt will be shown to user also an email will be sent user informing about using SSO credentials.

“Your account exclusively uses Single Sign On. You must log into your account using your Single Sign On credentials. If you do not have your username or password, please contact your   facility’s help desk”

Refer below screenshots-


           


-   Similar workflow will be available for survey optimizer

 

Survey Optimizer


When oAuth/SAML is enabled, user will access ES/Survey Optimizer using custom landing page (format: https://www.pst-test.com/LandingPageURL)

 

-   If SSO exclusive is enabled, then there will be no option to enter username/password.

-   User will select the app and click on “Login with SSO” button.

-   Based on oAuth/SAML setting, user will be logged-in to application using oAuth/SAML.

 

 

 

 

-   When user clicks on Login with SSO button and auth setting is SAML then, following screen appears –



After successful login using SAML with SSO, claim information for the user are received from Active directory, once user is authenticated user’s permissions are fetched from Survey Optimizer and user is redirected to home screen.

 

Exclusive SSO + SAML\oAuth

 

Survey Optimizer

1.  When user access ES Optimizer from valid/invalid SSO Exclusive IP range and SSO exclusive is enabled for the account then, “Login with SSO” button along with app selection drop down is shown to the user on Login page, refer below screenshot-


 

         2.   After login,

- If user having multi facility access, then facility selection drop down is shown to user before entering into the application.

- If user having single facility access, user can enter into the application.

 

 

User/Employee module changes for exclusive oAuth/SAML
- If SSO exclusive is enabled, then Password/ Retype password is not visible to the user. 

-      When the new user is added from Survey Optimizer and SSO Exclusive is enabled for the account, the user cannot retrieve password  

       

      If SSO exclusive is enabled, User Permission Tab is visible for master user and admin user in employee module.


 

iOS Changes

-All iOS apps are updated for SAML\oAuth and exclusive SAML\oAuth changes.

- By default, Single Sign On button will not be visible.

- Once a user is imported and SSO is enabled (SAML\oAuth) then Single sign on button will be visible.

On clicking on “SSO Single Sign On” button user will enter the AD credentials and user will be authenticated based on SML\oAuth settings.

 

SSO Excusive

-   When app launches, app checks if app is accessed from valid IP range. If SSO exclusive is enabled and user access the app from valid IP range, then only “Login with SSO” button will be visible.

 

Setup Single Sign-On

-   Setup Single Sign-On feature is used if user has no ES/Survey optimizer user credentials.

-   In this case, “Setup Single Sign On" feature is used to fetch the Single Sign On settings on device.

-   A new 'Setup Single Sign-On' button is added on the import user screen to fetch SSO settings.

 

-   The user can enter a valid SSO username and password and click on the 'Setup Single Sign On' button. This opens the Microsoft login window to validate the user.

 

-   When clicking on the 'Setup Single Sign-On' button,

a.   If OAuth is enabled from the web, then Microsoft requests permission to share data with Microsoft.

b.   If SAML is enabled from the web, then the Microsoft Login window will open.

 

 

 

2.  Open the Microsoft login window by clicking on 'Continue' and select your AD user.

3.  Enter your AD username and then click on the “sign on” button to retrieve the user's SSO settings.

-   The user's SSO settings imported successfully and redirected to login page.

 

           

 

Reset SSO Exclusive

-   If SSO exclusive is enabled and due to any reason user could not be able to login into application. Then user can Enable/Disable SSO exclusive for specific device.

 

 

-   In this case, user can see legacy login with Login/Password textbox will be shown