Single Sign-On

Single Sign-On

This feature allows operators to log into the CurrentWare dashboard by authenticating using external Identity Providers. It uses the industry standard OAuth 2.0 through an integration platform to integrate with your Identity Provider, allowing convenient and secure access to CurrentWare, along with leveraging the access management features of your Identity Provider.

Info
Single Sign-On may require an upgrade to your CurrentWare subscription plan - please contact CurrentWare support for more information Contact the CurrentWare Team

How it works

When a user who has been set up to access CurrentWare with Single Sign-On opens the login page, they can click the Single Sign-On option to initiate the authentication process. 


The user will be required to authenticate with your chosen Identity Provider.  If they have an existing valid session (i.e. they have recently authenticated with the Identity Provider on this computer), they may not need to re-enter their credentials.  Once authenticated, the user will be redirected into the CurrentWare dashboard, and will be logged in with their allocated permissions.

We use an integration platform to facilitate the secure link to your Identity Provider. The user is authenticated directly with your Identity provider, and the authentication status is then sent back to CurrentWare.


Supported Identity Providers

  1. Entra (Azure AD)
  2. Okta
  3. Auth0
  4. Onelogin
  5. Many other Identity Providers that use SAML or OIDC may be supported, contact us to check if yours is currently supported.

Setting up the connection to your Identity Provider

CurrentWare support will be involved in helping you set up Single Sign-On.  The following information will be required for the setup:

  1. Which Identity Provider do you intend to use

  2. Organization name (for us to identify your account)

  3. Name and contact details (if not yourself) of the point of contact who will be configuring the Identity Provider integration

  4. How many operators you intend to enable Single Sign-On for

  5. Email domain of of the users who will use Single Sign-On (this is used as part of the authentication process)

  6. Your CurrentWare web console domain and port (this is used as part of the validation process). 

  1. Once the CurrentWare team has created the basis of the platform integration they will provide you with your Organization ID, which you can enter into the Organization ID field.
  2. Input the value of your CW web console domain and port into the Callback URI Domain (or use the default recommended value), ensuring that it matches the information provided to the CurrentWare team.  Note: that this is case sensitive.
  3. Click Save
  4. The Single Sign-On feature should now be unlocked and the remaining steps should be accessible
  5. Click “Open SSO Setup Portal” and follow the instructions on the page to configure your Identity Provider.  Close that page once it’s completed.
  6. Click “Test Connection” to verify the connection from CurrentWare to your Identity Provider
  7. Ensure “Enable Single Sign-on” is enabled and click “Apply"

Creating/updating the operator accounts for SSO

  1. Go back to the “Operators” tab

  2. Click “Add Operator”

  3. Select “SSO” as the authentication

  4. Type in a username (this is used to identify this account in audit logs)

  5. Type in the principal email address of the user as recorded in your Identity Provider

  6. Click “Add”

  7. Sign out of your current admin account

  8. On the login screen click “Single Sign-On”

  9. Log in to your Identity Provider with valid credentials

  10. You should now be logged in to CurrentWare under the SSO operator account created earlier


Repeat the above steps to create the other operator accounts for Single Sign-On.  You can also enable SSO for existing local users.

Enforcing SSO for operator accounts

This option ensures that only Single Sign-On is allowed for logging into CurrentWare, and so all local accounts cannot be used. This includes no access to Winform console if applicable.

Alert
Before enabling this option, ensure that your crucial admin accounts are validated to be working with SSO.


  1. Open Settings > Operators > Single Sign-On

  2. Enable the option for “Enforce SSO for operator accounts

  3. Click “Apply”

Troubleshooting

After entering the organization ID and callback URI domain, the “Open SSO setup portal” button is not enabled

  • Ensure you have clicked the “Save” button to apply and verify the values

  • Ensure the Organization ID and Callback URI Domain match the values with from the CurrentWare team, including case sensitivity

  • Check your server has access to the internet and check if your firewall or other security system hasn’t blocked the integration platform URL “api.workos.com”

After setting up the identity provider, and testing the connection, it fails with an error

  • If the error mentions the domain, then verify that this domain has been provided to the CurrentWare team

  • If the error mentions redirect URI, then verify that the URI matches the information provided to the CurrentWare team

When trying to login using SSO, the error says the operator account is missing

  • An admin needs to create an operator account first, and the email address has to match the email address in the Identity provider profile for that user

Tips for usage

  • Create a role or group specifically for allocating users who should have access to CurrentWare

    • When configuring the application, your Identity Provider should have the ability to limit Single Sign-On to specific users defined by the role or group.  You can then add/remove users from that group to manage single sign-on access.

  • At this time CurrentWare does not support Identity Provider initiated sign-on flow (where a user opens CurrentWare from the Identity Provider portal).  Therefore, it is best to disable this feature from your Identity Provider if available.


    • Related Articles

    • Unsupported login route

      If you are seeing this you may have been redirected here by your single sign-on login initiated from your Identity Provider profile page. Please go back your CurrentWare web console and click SINGLE SIGN-ON to initiate the login process correctly.

    • Adding Outlook or Office 365 to the Allowed List

      When you are using BrowseControl’s URL Filter or Category Filter to block the Internet, but you want your users to have access to Outlook or Office 365 directly or through single-sign on, you will need to add the following entries to your Allowed ...

    • Import Operators From Active Directory (LDAPS)

      If you have many users that need to have operator accounts in CurrentWare and you intend to enable Single Sign-On for those accounts using Entra ID, you can opt to import them to reduce the manual effort of creating all the accounts. Note that you ...

    • CurrentWare Security Practices

      CurrentWare is committed to the security of its platform, its customers, and their data. Here’s an overview of the security measures we take to keep the CurrentWare Suite safe. Authentication Security Password Protected: The admin console cannot be ...

    • Release Notes

      Version 11.0.0 Feb 21, 2025 Utilization Rate Tracking for Resource Optimization: The new Utilization dashboard shows how much time users spend on productive activities during their expected work hours. This feature helps organizations allocate ...