Guru's Verification engine ensures consistency, confidence, and trust in the knowledge your organization shares. Learn more.

OpenGov Single Sign-On (SSO): Technical Configuration Guide Procurement

What is SAML SSO?

SAML (Security Assertion Markup Language) is a standard for SSO (Single Sign-On). SAML single sign-on (SSO) allows your users to authenticate to OpenGov through your company's existing identity provider. This means they can access multiple tools with the same set of credentials while using a more secure method of authentication than just a username and password.

Why use SAML SSO?

Organizations, companies, and governments use Single Sign-On (SSO) as an enterprise identity tool so that their employees do not have to manage multiple passwords for different applications.

Supported Identity Providers

OpenGov can work with any SAML 2.0 provider which includes three of the most common and preferred identity providers used by governments:

Microsoft Active Directory (ADFS)
Microsoft Azure Active Directory
Okta

To request this service, please contact your OpenGov Customer Success Manager for pricing and then review and follow the instructions below. Please also read the technical limitations below.

Instructions for Your Single Sign-On Administrator

Please complete this SSO enablement form and provide information from your government’s identity provider required to establish SAML certification. Please submit this information via Resource Center: www.support.opengov.com. Support will contact you to set up a meeting for SSO enablement.
Your government's SSO administrator should use the OpenGov parameter values listed below to add OpenGov as a new application in your identity provider. Please refer to instructions from your identity provider to complete this step and configure the settings using email as the default username or Name ID format.

Exchanging SAML Federation Metadata

SAML federation metadata describes an identity provider or a service provider. The metadata needs to be exchanged between our two parties in order to establish a SAML federation. SAML metadata typically includes:

Entity Identifier Public keys used to check SAML message signatures
Endpoint URLs
Supported bindings and profiles
Your government’s identity provider’s SAML certificate or HTTPS certificate:

Identity provider’s SAML certificate: This certificate is used to sign validation requests sent from OpenGov to an identity provider. It must be a 2048-bit certificate. We strongly recommend that this certificate is long-lived and self-signed.
Identity provider HTTPS certificate: This certificate is used to make HTTPS connections. It must be signed by a respected CA that is included in Java trusted CA list.

OpenGov Parameter Values Required for Your SSO Configuration

The OpenGov team will provide the following information so that your SSO Administrator can add OpenGov as a new application to your government’s SSO:

Identifier (Entity ID): urn:auth0:opengov:{subdomain}Reply URL

(Assertion Consumer Service URL): https://login.opengov.com/login/callback?connection={subdomain}

Unique User Identifier (Name ID): user.mail

IMPORTANT NOTES

Once your organization is enabled for SSO, traditional username/password based authentication is no longer allowed to access your government’s OpenGov application(s).*

If you are provisioning a user outside your organization's domain, please exempt the user from SSO so they can log in via their username and password.

Further, if your identity provider certificate expires or changes, you must re-generate the metadata file with the new or updated certificate and submit the new metadata file to OpenGov. After submitting the new file, please wait for a notification from OpenGov before allowing your users to use SSO to log in again.

What are the technical limitations of this service?

OpenGov SSO is only available for the following product suites at this time: OpenGov Procurement, Budgeting & Planning, including Reporting & Transparency as well as Permitting & Licensing and Financials.
SSO is not supported for API users. You can use a single sign-on to log in to OpenGov products only through OpenGov’s UI.
Access to multiple OpenGov Control Panel environments cannot be provided to the same email address. This applies to OpenGov Budgeting & Planning and OpenGov Reporting & Transparency.

For example, the OpenGov Control Panel application “tile” or icon may look like this in the Okta application directory:

Download this enablement form, complete and return to your customer success manager:
OpenGov Single Sign-On - Enablement Form .docx
OpenGov Single Sign-On FAQs.pdf

Version 1.1

You must have Author or Collection Owner permission to create Guru Cards. Contact your team's Guru admins to use this template.