Single Sign-On (SSO)

Does your Company use Single Sign-On (SSO) to allow access to multiple independent software systems? Benojo can support that - we offer SSO as an access and control method for our business users.

What is Single Sign-On (SSO), and What are the Benefits?

With SSO, a user logs in with a single ID and password in order to access a variety of connected systems, without the need for separate usernames and passwords, allowing the user to seamlessly sign in on each system.

Benefits to using Benojo with SSO include:

  • No need to remember new usernames or passwords
  • For the employee, the user experience is seamless - they feel as if they are using an internal system specific to your business...it feels familiar, and like you.
  • A user's data is pulled into the Benojo system on first log in, and updated on every subsequent log in, meaning a user enjoys pre-populated profile information, such as their employee number, name and email address.
  • Employees are automatically added to Benojo - when someone new joins your business, there is no need for you to take additional action on the Benojo platform, they will be automatically created on first log in.
  • Allows greater permission and controls as to who can see and access Benojo from within your business.


The Technical Stuff

So how does it work? Well, this is the information your tech team will want to know:

Single Sign On using SAML

Single sign on (SSO) using SAML allows employees in your company to access Benojo using your company portal hosted at https://[company].benojo.com. When an employee navigates to your portal and clicks Sign in, they will be sent to your company login page and required to authenticate. When they have successfully logged in, they will be redirected to Benojo as a logged in user.


How can I set this up for my company?


SSO setup is not fully automated and will require the assistance of the Benojo team. We recommend that you read the information below to understand how this works and whether this can work for you in your company. When you are ready to proceed, please contact us at support@benojo.com.

Just in Time creation


Employees who sign into Benojo for the first time will have a Benojo profile created for them. On first sign in, they will be asked to accept the Benojo terms and conditions, fill out extra profile information (more to follow), and set their contribution intentions for the year. Subsequent sign ins will update the profile with fields obtained from your company Identity Provider.

Extra profile information

Employees who sign in using SSO will automatically have their first name, last name, and email address populated in Benojo. Employee number will be populated if it is provided by your Identity Provider (recommended). As the lifetime of a Benojo profile may exist beyond the user's employment at your company, a user is required to set their backup email address. When a user leaves the company, they are removed from the company portal, denied access to company information, have their employee number wiped and their primary (company) email address replaced by their backup email address. This leaves the user free to continue to use Benojo, keeping a history of their contributions and giving them access to the their personal reports (eg. tax deductions).

When the user signs in for the first time, they will be associated to your company. If your company is the parent in a hierarchy of offices, then the user will be required to choose an office when they first sign in.


Technical considerations

  • Benojo supports Identity Provider initiated flow, or Service Provider initiated flow.
  • If adding a link to login to Benojo directly on your intranet, please link to https://[company].benojo.com/login.
  • Benojo supports HTTP-REDIRECT only (not HTTP-POST).
  • Your Identity Provider will need to sign SAML Assertions to verify your identity. You will need to provide your PEM-encoded X.509 certificate to Benojo to allow us to configure your SSO integration. Certificates should be signed using the algorithm SHA-256.
  • Please contact Benojo prior to your certificate expiring so that we can upload new certificates and ensure a seamless experience for your employees.
  • Benojo does not support SSO Single Log out.

Identity Provider setup

  • The Entity ID should be set to https://[company].benojo.com/sso/saml/metadata.xml
  • The Assertion Consumer Service (Post back) URL should be set to https://[company].benojo.com/sso/saml
  • The Name Identifier must be unique and must not change for the lifetime of the user e.g. Employee number.
  • Employee first name name attribute is required
<Attribute Name="user-first-name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeValue xsi:type="xs:string">Arthur</AttributeValue>
</Attribute>
  • Employee last name attribute is required
<Attribute Name="user-last-name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeValue xsi:type="xs:string">Dent</AttributeValue>
</Attribute>
  • Employee email is required
<Attribute Name="user-email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeValue xsi:type="xs:string">
arthur.dent@hitchhikers.com</AttributeValue>
</Attribute>
  • Employee number is recommended, and optional
<Attribute Name="user-employee-number" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <AttributeValue xsi:type="xs:string">42</AttributeValue>
</Attribute>