Tutorials

[EN] Activate SSO in the eworx Marketing Suite

Suggest Edits

Single sign-on for secure, cross-application login

The increasing use of cloud-based solutions in companies means that PC users have to manage a variety of different access data. However, this creates a security risk that should not be underestimated, as users often resort to insecure passwords because they are easier to remember.

Single sign-on provides a solution here, as it offers users the convenience they want: once activated, users can log in to all applications assigned to this identity via a centrally stored, comprehensive user profile and quickly switch between the individual services. In this guide, you will learn more about the background of SSO, organisational, technical and human security aspects, as well as how to set up and activate single sign-on in the eworx Marketing Suite.

What is behind SSO?

Single sign-on from eworx is a secure user authentication process. Once SSO has been set up, users can access all systems or applications assigned to their identity with just one central profile, without having to log in again within a session.

Well-known examples of single sign-on include Google and Facebook. Many online services no longer require users to enter new user data when registering; instead, they can log in using their Facebook or Google account.

How does this work exactly?

When a user logs into a web application such as the eworx Marketing Suite with this cross-application profile, the user is automatically authenticated in the background.
A token is used to prove that this particular user is actually authorised to use the eworx Marketing Suite. This token is passed on to the application via the user's browser. It is comparable to a passport that allows us to enter a country because a trusted authority (the state) has certified the authenticity of our identity by issuing it. In the case of SSO, the trusted authority is a so-called “identity provider”, in which the user profile and a corresponding certificate are stored. If your user has recently been authenticated in another application, you do not need to re-enter your login details.

A popular example of such an identity provider, which is already frequently used in companies, is Microsoft Entra ID (formerly Microsoft Azure AD). The setup of SSO for the eworx Marketing Suite is shown below as an example for this identity service. Of course, implementation with other providers is also possible on request.

Is single sign-on really secure?

There's no question that logging in once is convenient. But is it also secure? To achieve the highest possible level of security in the authentication process, the following three levels should be taken into account:

Organisational security aspects

The ongoing digitalization of work processes means that, ideally, employees should be able to access their data and applications from anywhere, as they need to be able to use the relevant tools and services regardless of their location or device. However, this increased flexibility also increases the complexity of IT management. Not least because more and more people are working in networks that are beyond the direct insight and control of the IT team. This is where user authentication gives IT the tools it needs to monitor and ensure compliance with certain security aspects. Bundling all accesses within an identity store creates transparency, simplifies the management of authorizations and enables rapid intervention in the event of security breaches.

Of course, when introducing SSO, an appropriate concept should be in place that also takes potential vulnerabilities into account. Are there any special risks or requirements for certain user groups? Should users outside the office be able to access all applications, or are there restrictions? However, these questions arise in principle and not only in relation to SSO.

Technical security aspects

Naturally, identity services such as Microsoft Entra ID pull out all the stops to achieve the best possible security for access data. As far as the technical implementation of the identity server of the eworx Marketing Suite is concerned, the following aspects ensure a high level of security for the authentication process.

  • Proven standards
    Single sign-on for the eworx Marketing Suite complies with the latest standards for authentication (OpenID – a standard also used by Google and PayPal, for example) and authorization (OAuth2).

  • Finely tuned identity server
    Our identity server was developed based on a standardized framework (Identity Server 7) specifically for the requirements of our software and our demands in terms of security and scalability. This results in a number of advantages:

    • Influence on security-related factors (e.g. generation of one-time tokens that are only valid once; automatic logout of a user if they have not been active in the system for a certain period of time)
    • Enables multi-client capability in combination with SSO
    • Implementation with different identity providers possible
    • More flexible options for assigning rights in connection with custom developments

  • Multi-factor authentication
    It is also possible to design the SSO process as two-factor authentication, which is generally recommended for login data that provides access to a large amount of data and applications. With this multi-level variant, in addition to entering the login data, there is a second security query (e.g. entering an SMS code), which is required in various cases (e.g. when working on a network other than the company network). If you already use two-factor authentication, this will also be triggered when logging in via the eworx Marketing Suite.

Human security aspects

Even the most secure authentication process is useless if users choose passwords that are too simple. In the case of single sign-on, it would be particularly disastrous if such a password were to be cracked. Raise awareness among your users and follow these guidelines for a secure password:

  • Avoid using complete words or proper names
  • Longer passwords are more secure than short ones – they should be at least 8-10 characters long
  • Mix letters, numbers and special characters and switch between upper and lower case
  • Never use the same password for single sign-on for other accounts, especially not for private accounts
  • Mnemonic device: Create a long, complex password using the first letters and characters of a sentence so that you can remember it easily. Example: My son's name is Otto and he is already 6 years old! –> Password: MShOuis6Ja!

How can I activate SSO for the eworx Marketing Suite?

For system administrators

In the case of Microsoft Entra ID (Azure AD), SSO is already ready for use for the eworx Marketing Suite and only needs to be requested and configured. For the initial rollout, we only need the following from you:

  • The ID of the Azure tenant and the information about which eworx Marketing Suite client it should be linked to
  • The authorisation to log you in and read your profile, as well as to read your directory data To do this, call up the following link, log in with your admin user and click on "Accept". This step is only required once, but is a prerequisite for other users in the organisation to be able to log in with their Microsoft account later. We will then carry out the mapping and roll out SSO for the mailworx login.

Automatic assignment of permission groups

If you also want to control the configuration of permission groups via Microsoft Entra ID, you must additionally assign the groups in Entra ID to the corresponding groups in the company application ‘mailworx Single Sign-On’.

In addition, automatic mapping of permission groups must be enabled and the mapping configured in the administration area of the eworx Marketing Suite.

To do this, go to Administration > SSO Settings.

Do you use a different identity provider?

Of course, we also offer the appropriate solution for this. In some cases (such as with Google, Facebook, Amazon Web Services, and Box identity services), the configuration is similarly simple, while others require custom programming (e.g., with on-premise ADs). Contact us, and we will be happy to send you further information.

For eworx Marketing Suite users

On the eworx Marketing Suite login page, below the usual fields for your username and password, you will also find the option to log in with a parent profile, e.g. “Sign in with Microsoft”.

If no valid login information from Microsoft Entra ID is available for the eworx Marketing Suite, you will be prompted to enter your Microsoft login details. This step can be omitted if valid login information is already available through the operating system.

User login with automatic mapping

Once automatic mapping of Microsoft Entra ID users and groups has been enabled and fully configured, no further manual steps are required when a user logs in.

When a new user who does not yet exist in the eworx Marketing Suite logs in, they are automatically created in the eMS during the SSO login process. For this purpose, the basic user information (user name, email, first and last name) is taken directly from the information provided by Microsoft Entra ID. Authorisation groups are assigned based on the SSO settings in the respective client.

If the current user is not assigned to a configured Microsoft Entra ID group, a corresponding error message appears and the user cannot log in.

User login with manual mapping

If automatic user mapping is not enabled, the link can be created manually after a new user logs in for the first time.
Depending on various factors, you will see different results after logging in via Microsoft Entra ID:

Scenario 1: SSO has already been commissioned and configured. Your user has been linked accordingly.

In this case, all you need to do is click on the link. If you have already authenticated yourself via another application (e.g. by logging in to your computer), you will not normally be asked for your login details again and you can continue working in the eworx Marketing Suite. Otherwise, you will need to re-enter the login details for your Microsoft account and, in the case of two-factor authentication, answer a second security question (e.g. enter an SMS code).

Scenario 2: SSO has already been ordered and configured. However, your user has not yet been linked.

Once SSO has been ordered and configured by us, both the administrators of the eworx Marketing Suite clients and the users themselves have the option of creating a link between the parent profile and the corresponding eworx Marketing Suite user, if this has not already been done. This may be necessary if new eworx Marketing Suite users are added after the initial rollout.

If you now enter your Microsoft data when logging in, you will receive the following error message:

No link to your eworx Marketing Suite user account
No link to an eworx Marketing Suite user account has been created for your Microsoft user account. You can set up the link yourself in the eworx Marketing Suite under My settings (My data tab) or alternatively contact [email protected].

  • Assignment by the client administrator:
    Open your client's user management and select the desired user from the list. Below the email address, you will find a drop-down menu called ‘Azure link’, where you can select the AD user you want to link. Save the new setting to activate the link. You can remove or adjust the link at any time via the user menu.

  • Assignment by eworx Marketing Suite users:
    To do this, select ‘My settings’ from the user menu (drop-down menu at the top right). In the ‘My data’ tab, you will now see a button labelled ‘Connect to Microsoft’. You may need to log in again with your Microsoft login details. The link will then be created automatically and you can continue working as usual.

Scenario 3: SSO has not yet been requested and configured

In this case, the following error messages may appear when you attempt to log in, as the Microsoft account has not yet been activated.

SSO has not yet been requested and configured
Sign-in via Microsoft account has not yet been enabled for your organisation. For more information, contact [email protected] to enable SSO.

Scenario 4: SSO has been commissioned and configured, but admin approval is still pending

We have already completed the initial setup of SSO for the eworx Marketing Suite, but the admin of the eworx Marketing Suite has not yet granted all the necessary permissions.

Administrator approval required
If you receive the message below, you can forward the corresponding link to your administrator with a request for confirmation.

Do you have questions that were not answered in this whitepaper, or would you like to learn more about the possibilities of SSO in connection with other identity services? We look forward to hearing from you!

Updated 4 days ago