Configuring Single Sign on via SAML with Abacus
Important: Abacus currently only supports SAML-based single-sign-on providers.
Configure your Identity Provider
If your company uses an Identity Provider like OneLogin, Okta, JumpCloud, Rippling, or others, you may want to configure SAML on Abacus.
Note: In order to set up SSO, your organization must be on Abacus’ Enterprise plan, and you must be an Admin.
Configuring your Abacus account to use SSO for authentication means that every member of your team will need to log in via your chosen Identity Provider to access Abacus. In order to configure SSO in your Abacus account:
- Head to the Authentication tab in Settings
- Enter your Sign-in page URL, provided by your identity provider
- Enter your Identity Provider Issuer, a unique name (usually a URL) that your identity provider typically provides
- Enter your X.509 Certificate
Your Identity Provider will have further details on how to get set up on their end. Here are some resources:
If your Identity Provider asks for an ACS URL or an Entity ID in the platform, you will need the following information:
- ACS URL: https://www.abacus.com/login/saml/assertion
- Entity ID: https://www.abacus.com/home?company_id=company ID*
*Reach out to your implementation manager for your company ID number
Congrats! Now your company is configured for SSO.
Note: Once SSO is enabled, this will be the exclusive way you and your team will be able to log in to your Abacus accounts. Any attempts to use a username and password to log in to this Abacus account will return an error.
Invite Your Team
- Before adding a team member in Abacus, first make sure you have added the employee to your Identity Provider
- Next, invite the appropriate people via the Invite button on your Abacus People Page
Your employees will be directed through your Identity Provider, and then once they log in there, they will be redirected to your Abacus account.
Using SAML-based SSO within a Multi-Subsidiary Organization
Do you use the ‘Connected Orgs’ feature of Abacus? If so, no problem! Your team will have different organizations in their account, and they will be prompted to authenticate the appropriate ones.
Logging in on your iPhone or Android
Logging in works the same way on iPhone or Android as it does on the web. We recommend that you use the mobile app for the Identity Provider you use. If you or your team belongs to multiple subsidiaries, they will have to select the appropriate organization from their phone:
When deactivating a user, you will need to deactivate them in Abacus, in addition to disabling them in your Identity Provider. This ensures that their access to the mobile apps, as well as the web, will be deactivated.