SSO authentication is only supported for web stations. When starting up a station, users need to authenticate. Besides authenticating with their ABBYY FlexiCapture Cloud user name and password, users can also be authenticated through an external identity provider (e.g. Azure Active Directory integrated with your corporate Active Directory).
Here's what happens when a user is authenticated through an external identity provider.
- The user clicks the Log in with [external server name] button.
- ABBYY FlexiCapture Cloud generates an AuthnRequest message, puts it into the SAMLRequest parameter of a URL GET request, and sends the request to the identity provider. Encrypted SAML SSO connections are not supported.
- The identity provider authenticates the user.
- If the authentication is successful, the identity provider generates an assertion message.
- The request containing the assertion message is sent to ABBYY FlexiCapture Cloud in order to determine whether the specified user has the necessary permissions to log in to the specified station.
- ABBYY FlexiCapture Cloud verifies the assertion message using a public key certificate obtained from the identity provider and then authorizes the user.
- ABBYY FlexiCapture Cloud performs the required operations and issues an internal authentication ticket.
- The user is granted access to the appropriate web station with the issued authentication ticket.
Note: This feature has been tested using the following identity providers: Azure Active Directory, OneLogin, and Okta.
Note: Multiple identity providers can be used simultaneously. New authentication methods will be used side by side with the existing methods, including those used by default.