Skip to main content
Skip table of contents

Single Sign On

Single Sign On (SSO)


Single sign-on is an authentication service in which one set of login credentials are used to access multiple applications. SSO greatly simplifies access management for employees, and now with the 20.02.01 release you will be able to enter your credentials once to sign into the atrieveERP web portal and from there access atrieve Web without having to re enter your credentials.


Frequently Asked Questions

What does the Single Sign On Process Flow look like?

What happens if the Single Sign On Authentication Service is down?

If the Single Sign On Authentication Service is down, there will be no way to sign into the portal or any related applications. The user will be presented with an error message. There is no automated fall back to non-SSO sign in without changing the SSO configuration.

What happens if the Single Sign On Authentication Service is down while I am changing my atrieve Web password?

The password change will still complete, however, without the SSO authentication service functioning, there is no way to sign in to the application suite.

What happens if my Web Portal session expires while I am using Atrieve Web?

Your atrieve Web session will still remain active. Behind the scenes, there is a 'Keep Alive' process that happens between atrieve Web and the web portal. This process maintains the session and keeps it active. In the event that the session does become inactive, or, the user clicks the Logout button in the web portal, the keep alive process should fire off on its next interval and prompt the user to log back into the web portal. Without being logged into the portal, some features are non-functional such as Document activities (viewing, uploading, etc.).

What happens if I click the Logout button in the Web Portal?

The logout process will log you out of both the application and of the Single Sign On authentication service. This is a configurable setting on whether or not to perform a hard or soft logout. A hard logout will log you out of every service where as a soft logout will only log you out of the application you are currently in.

If you have an active atrieve Web session and are currently working in there and you do a logout from the web portal, you will be logged out of all services. However, your atrieve Web session will still remain active. The Keep Alive process (see above) will also be operational and will prompt to log back into the web portal at its next interval. Clicking the logout link within atrieve Web application will not log you out of the web portal session at this time.

How do I change my AtrieveWeb Password?

Since there is no direct native support for Single Sign On (SSO) within OpenVMS, we have provided a few places where you can change your OpenVMS password and have that change reflected and available immediately within SSO.

  1. In atrieve Web, you may click on the Key icon in the top right corner of any page


  2. In Role Based Security, you may select the 'Users' menu item from the main navigation, select your employee name or employee number, and in the Constraints area. If you are already setup for atrieveWeb SSO, you will have an atrieve Credentials constraint already configured for Single Sign On via the permission Can Login to Atrieve with Single Sign On. If not, you may click on the “Add Constraint” button to add one, and specify the username and password as required.

What happens if I change my atrieve Web password? Does it take effect immediately?

When you change your password as outlined above, it will be reflected immediately the next time you launch atrieve Web.  You can always verify your SSO atrieve Web credentials at any time using Role Based Security.

When I change my Atrieve Web password in Role Based Security, does it change my password for both my atrieve Web user and my LDAP/Security Builder user?

No, when you change your password via Role Based Security, it performs the following steps:

  1. Makes a call to the SMS system to ensure the atrieve Web user account you are trying to change exists and that your employee number is associated with it

  2. Calls the atrieve Web password change utility to update the password

  3. Saves the Role Based Security atrieve Web Credentials constraint to allow Single Sign On into the atrieve Web application

There is no call made to Security Builder to update the password (if Security Builder authentication is being used). There is also no call made to the LDAP service provider to update the password (if LDAP authentication is used). In order to change those passwords, you would need to use the existing methods according to that provider.

What is the Single Sign On Consent screen and why do I see it?

The Consent screen (if activated within the Authentication Service configuration for the particular calling client application) informs the logged in user who is requesting access to their data or application and what kind of data you are asking to access. Within our internal applications, each application can request different data to fulfill their needs. Some examples could be:

  1. The web portal requires your employee number and limited employee demographics details in order to provide bare essentials within the web portal applications. Additional elevated information may be requested such as your Security Builder overrides, your Role Based Security roles and permissions, and/or your Menu Service roles and menu items.

  2. atrieve Web requires your atrieve Web credentials from Role Based Security in order to sign you in

It is meant as a confirmation that the user is aware they are allowing an application to consume their data for a specific purpose. For our internal applications this is of no concern and the consent screen is disabled. However, if we were to provide external third party applications single sign on access to our systems, you may want to have a confirmation that the information requested by that third party is allowed before its permitted.

Why does it say the “Redirecting you to …” message after I log into the web portal or other applications?

Since the Single Sign On (SSO) process happens on a different application, there is some redirection of pages, reloading of pages, and other delays that occur. In case this process becomes bogged down or slower than normal, the message is intended to inform the user that there is something happening behind the scenes and that you will be redirected after the processing has completed successfully.

Why are my atrieve Web bookmarks no longer redirecting me to sign into atrieve Web?

The first phase of SSO has a limited scope of allowable redirects.  We have added this redirect as a possible offering in phase 2 of SSO.

When you add a new atrieve Web user, does it automatically create a constraint within Role Based Security to allow Single Sign On to Atrieve Web?

If the atrieve Web password change utility wrapper is called during the user creation, then yes, the Role Based Security constraint for atrieve Web credentials will be created automatically. If not, the first time the user runs the atrieve Web product, they will be presented with a username and password prompt. Upon a successful login, the atrieve Web product will automatically create the Role Based Security atrieve Web credentials constraint.

Is there any Audit or Activity logging for Single Sign On logins and logouts?

Yes, there is full logging available indicating all activities within the Single Sign On service. This process is automated and happens on every interaction with the authentication service

Are there any reports that show which user/employee accounts are associated with Single Sign On?

Yes, there are two reports available within SMS via Atrieve Web that you may run to see which accounts are inactive, which are active, and which have their Role Based Security Atrieve Web credentials constraint setup.

The SMS Employee Settings Changes/Inquiry screens will indicate which atrieve Web user account is associated to which employee number:

There are two Security Reports available which allow you to look up which accounts are setup correctly and which are not:

The Employee Number Report will show you atrieve Web accounts that do NOT have a employee number associated within the SMS system.

The Employee Role Based Security Report will show you which accounts do not have a Role Based Security Atrieve Web credentials constraint setup.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close