Overview
The TWAICE platform supports Single Sign-On (SSO), enabling secure and seamless access using your organization’s existing identity provider (IdP).
With SSO, users can authenticate using their corporate credentials, ensuring alignment with internal security policies while simplifying access to the platform.
Key Benefits
Implementing SSO with TWAICE provides several advantages:
Centralized identity management
Manage user access through your existing identity provider, no need for separate credentials.Stronger security and policy enforcement
Enforce your organization’s authentication policies, including Multi-Factor Authentication (MFA), password rules, and conditional access.Reduced administrative overhead
Eliminate password management within TWAICE and streamline user provisioning and deprovisioning.Improved user experience
Enable fast, frictionless login with familiar corporate credentials, no additional passwords required.
How SSO Works: Architecture & Authentication Model
TWAICE uses a federated authentication model:
TWAICE: acts as the Service Provider (SP)
Your organization: acts as the Identity Provider (IdP)
When SSO is enabled:
Authentication is handled entirely by your IdP
TWAICE does not store or manage passwords
Your existing security policies are automatically applied
Supported Protocols
TWAICE supports industry-standard authentication protocols:
OpenID Connect (OIDC) (recommended)
SAML 2.0
Supported Identity Providers
You can use any standards-compliant IdP, including:
Microsoft Azure Active Directory (Azure AD / Entra ID)
Okta
Duo
Auth0
Other providers supporting OIDC or SAML 2.0
User Login Experience
Once SSO is configured, the login process is straightforward:
Navigate to your TWAICE platform (customer-specific subdomain)
Click “Sign in with Single Sign-On”
You are redirected to your organization’s IdP
Authenticate using your corporate credentials
You are redirected back to TWAICE and logged in
All authentication takes place within your organization’s secure environment.
Security & Access Control
Authentication
Fully managed by your IdP
Centralized identity control
No password storage within TWAICE
Multi-Factor Authentication (MFA)
Configured and enforced via your IdP
Fully supported by TWAICE
User Lifecycle Management
Provisioning and deprovisioning handled via your IdP
Access follows the least privilege principle
Access reviews remain under your control
Session Management
Session policies (e.g. timeout, re-authentication) defined via your IdP
TWAICE enforces standard session security practices
All authentication and access events are logged
Implementation & Setup
SSO is typically configured during onboarding in collaboration with your IT team.
Prerequisites
Your organization provides:
OIDC or SAML endpoints
Client ID (“application id”)
Client Federation / Metadata URLs:
Example (Microsoft Entra ID OIDC):
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
Required scopes (for OIDC):
openid (required)
profile (recommended)
email (recommended)
TWAICE provides:
OIDC / SAML 2.0 Call-Back URLs to register/configure in the customer’s application
Sign-In Redirect URL: Customer specific subdomain to reach the platform
Setup Steps
Select protocol (OIDC or SAML 2.0)
Exchange metadata between your IdP and TWAICE
Configure authentication settings within TWAICE
Test login flow with test users
Go live and enable SSO for all users
SSO will be the default login method once configured.
Responsibilities
The table below summarizes the responsibilities of both your organization and TWAICE in the SSO setup and operation.
Area | Responsibility |
Identity management | Customer (IdP) |
Authentication policies (MFA, password rules) | Customer |
SSO configuration | Shared (Customer IT + TWAICE) |
Platform authorization (roles) | TWAICE |
User lifecycle management | Customer (via IdP) |
👉🏻 If you have any questions or need support with your SSO setup, please reach out to TWAICE support!