Configuring Single Sign-On

IPRO supports Single Sign On (SSO). When SSO is configured, you can log in through your Identity Provider, there is no need to sign in separately to ARCHIVE or IPRO Search. Logins will occur automatically and invisibly.

How SSO Works

ARCHIVE and IPRO Search both use Security Assertion Markup Language (SAML) to achieve Single Sign On. SAML is an open standard for exchanging authentication and authorization data between an Identity Provider and a Service Provider. Authentication is performed through Active Directory (AD) by recognizing a user's domain, which often corresponds to their email address.

For many organizations, Active Directory Federation Services (ADFS) acts as the Identity Provider.

ARCHIVE, IPRO Search, and Proxy access are each considered a separate Service Provider. Enabling SSO on Proxy access is optional but recommended.

IPRO Search does not use Multi-Factor Authentication (MFA). However, ADFS may use MFA, prompting your users to provide different types of personal information in order to authenticate.
What is called a Service Provider in SAML terminology is called a Relying Part in ADFS terminology.

Once SSO is configured, a typical workflow will proceed as follows:

  • User logs in to ADFS.
  • User attempts to access the login screen.
  • Invisibly, ADFS is prompted for a SAML (or signed) assertion to authenticate the user and authorize login.
  • IPRO APID verifies the signed assertion.
  • The user is automatically logged in.

If the user attempt to sign in before they sign in to ADFS, they are redirected to the ADFS sign-in page, where they are prompted to enter credentials.

In all cases, once SSO is configured, the login screens for both ARCHIVE and IPRO Search are disabled and invisible.

If SSO is enabled, Admin users should not be synced.
Once SAML is enabled, users cannot change their password, since the welcome screen where this option appears is no longer visible. Since authentication occurs through Active Directory, the password is irrelevant when SSO is enabled.


IPRO Search has various timeouts designed to boost system security regarding user authentication. When SSO is enabled in IPRO Search and a timeout occurs, the session will refresh automatically after a timeout alert. ARCHIVE permanently auto-refreshes. In both cases, SSO overrides timeouts.

Assertion Validity

Assertions are permanent by default. The Administrator may choose to revoke assertions for specific users.


You need a separate valid certificate for both the Identity Provider and for the Service Providers. You can have one certificate for all Service Providers (ARCHIVE, IPRO Search, and Proxy access) as long as they are on the same server. If the Service Providers are on different servers, each will need its own certificate.

The certificate cannot be self-signed unless you are using it as a test. AD FS will not accept a self-signed certificate.

If the certificate host name does not match the host name that users access, SSO might not work. During configuration, an auto-detect function will assist you in detecting anomalies.

Bypassing SSO for Admins

Admins can use the URL ending in /saml/ to bypass SSO when doing admin tasks.

In most cases, Admin synchronization is required for SSO bypass to work as expected.
Closing a browser will not log the user out of SSO in all cases.

Bypassing SSO for End Users (NOSSO)

After SSO is set up, any local, manually created end user can bypass SSO by using the IPRO Admin UI URL ending in /nosso/.


The user must belong to a designated "nosso" group in AD in order to access this function.

The URL ending in /nosso/ will also work for admins.

Similar to SSO, an IPRO Search session in /nosso/ will refresh automatically after a timeout alert.

Closing a browser will not log the user out o fSSO in all cases.

Outlook Add-In

Since there is no connection between Outlook Add-in and ADFS, enabling Single Sign On (SSO) through SAML on Outlook Add-In is not possible. Instead, authentication is performed through IPRO Search. During Outlook Add-In setup, you have the option to authorize Outlook Add-In to use IPRO Search credentials. Upon first successful login to the Outlook Add-In, each user sees the following grant rights page:

    IPRO Search is displayed as 'NetGovern'.
  • If the user selects Allow, Outlook Add-In will have authorization to use IPRO Search credentials indefinitely, unless assertions are revoked.

    Going forward, logins into Outlook Add-In will occur automatically, regardless of whether or not the user is logged into IPRO Search, and whether or not SAML is enabled in the IPRO Admin UI.

    Maintaining Administrator Access

    Once SAML is enabled, you no longer log into the IPRO Admin UI using Administrator credentials. Instead, you log in using credentials associated to your personal email address. Therefore, before you enable SAML, you must ensure that you assign Administrator access to yourself—see Configuring an Administrator.

    If you do not do this, you will lock yourself out as an Administrator when SAML is enabled.

    Configuring SSO

    There are two ways to configure SSO: either by using ADFS, or another Identity Provider. Steps for both are provided further below.