Basware Single Sign-On (SSO) solution (Basware Access) allows end users to sign-in to Basware services. Basware Access supports either single or multiple customer Identity Providers (IdP) for authentication. The Basware API and/or Basware Admin UI are to provision users and manage their access rights.
Recommended industry best security practice is to use customers own IdP. It removes the need for service specific credentials. Basware SSO with customer IdP integration enables authentication using customer's own corporate user accounts. This has a number of benefits including reduced account management administration: no requirement for users to remember an additional username/password; increased security because credentials are stored only in the customer’s own IdP; account lifecycle can be managed in customers own AD; and customer can select their choice of Multi-Factor Authentication (MFA) or other hardened security policies.
When an end user navigates to Basware P2P, it will instruct the client browser to navigate to Basware SSO (Access) which detects if the user is already signed in, or if the user should be directed further to their company IdP SAML2.0 mechanisms and preconfigured trust relationship with Basware. The security token will be provided automatically by the IdP if the user is already connected to their corporate network. If the user is accessing the system from outside the corporate network, they will be asked to enter their corporate credentials. The client application then sends a SAML security token to Basware Access which in turn checks the validity of the security token and the IdP that issued it. If the security token is valid and user has been provisioned, then the end user is granted an access token for Basware P2P. When the user is redirected back to the originating Basware P2P, it will validate if the holder of the access token has service level access and create a service session with user specific access roles. All network communications involved in this process are securely encrypted and the corporate user account password is never passed outside of the corporate network.
Basware Access also provides the option of traditional username and password access. Users are provisioned with Basware API and/or Admin interface. End users will create their own password during first sign-in after the invite. Basware Access has MFA support that customers can choose to be mandatory or optional for all their users. Authentication flow for basic username and password access flow is otherwise similar to the customer's own IdP scenario, except that the authentication step is handled in Basware Access.
- Customer is responsible for user provisioning. Customer can do this using Basware API integration or manually via an admin interface. This applies also to scenarios when using customers own IdP - Basware does not authenticate every user in a customer's IdP.
- The required username format is the email address of the user "name@customerdomain"
- Integration to Customer IdP requires SAML 2.0 protocol.
- Only Service Provider initiated SSO is supported. IdP initiated SSO is not supported.
The following simplified diagram shows the steps carried out to successfully authenticate a user using Basware Single Sign-On solution (Basware Access) with Customer's own IdP. The diagram is simplified by reducing underlying SAML2 protocol specific assertion mechanisms and handshakes.
