Skip to content
  • There are no suggestions because the search field is empty.

SSO Security Overview

This article provides a security overview of Single Sign-On (SSO) with Showell.

Who is this for?

👤 Administrators

👁️‍🗨️ Available as an Add-on in selected plans


In this article

1. Introduction

2. Authentication and Authorization

3. Data Encryption

4. Data Handling and Privacy

5. Tracking and Logging

6. Security Measures

7. Incident Response

8. Contact Information

Summary (TL;DR)

1. Introduction

Single Sign-On (SSO) with Showell lets your users authenticate against Showell using your organisation's existing identity provider, instead of maintaining a separate Showell password. Once SSO is enabled, Showell delegates the act of signing the user in to your provider. Showell itself never sees the user's password.

Showell supports SSO via the OpenID Connect (OIDC) protocol. Any identity provider that exposes a standard OIDC endpoint (Entra ID / Azure AD, Okta, Google Workspace, OneLogin, Auth0, etc.) can be configured.

The SSO integration is designed with security as a fundamental aspect, employing strong authentication, encryption, and data-handling practices. While this overview provides a comprehensive look at the security measures in place, further details can be obtained through direct contact with Showell support.

More information:

 

 

2. Authentication and Authorization

When SSO is enabled, the authentication flow runs as follows:

  • The user opens Showell and is redirected to your organisation's OIDC provider.
  • The provider authenticates the user (handling MFA, conditional access, password policies, etc.) and returns a signed ID token to Showell.
  • Showell verifies the token using the client secret the admin configured during SSO setup, and grants the user a Showell session.

Important points:

  • Showell never sees the user's password. Credentials are validated by your identity provider; only the resulting token reaches Showell.
  • MFA is delegated to your provider. Because authentication is handled on the IdP side, Showell's own MFA option is disabled when SSO is in use. MFA policies you configure in Entra ID, Okta, etc. apply automatically.
  • Client secret rotation. Admins enter the OIDC client secret (and optional expiration date) in Showell. Showell stores these securely and notifies admins ahead of expiration so the secret can be rotated before it lapses.
  • Scopes requested. Showell requests the standard OIDC scopes openid, profile, email, and offline_access. The exact claims returned to Showell depend on your identity provider's configuration.

 

 

3. Data Encryption

Data security is a top priority, and the integration uses robust encryption methods to protect data both in transit and at rest.

The OIDC token exchange between your identity provider and Showell is secured using HTTPS, ensuring encrypted traffic to prevent interception.

At rest, data within Showell's physical database (including configured client secrets and OIDC tokens) is encrypted using AES-256 encryption, a standard that meets industry guidelines for securing confidential information.

Encryption keys are managed according to Showell's Encryption Key Management policy, ensuring they are periodically reviewed and upgraded as necessary.

Our server infrastructure is hosted on AWS in Europe, ensuring compliance with European data protection standards.

 

 

4. Data Handling and Privacy

SSO is intentionally minimal in what it ingests from your identity provider:

  • After a successful login, Showell stores only the following fields from the OIDC token: the user's email address, display name, group ID(s) (if your IdP issues them, used to map the user to Showell Workspaces), the user's locale / preferred language (so the Showell App opens in the right language), and the OIDC token itself.
  • Showell does not ingest any other directory data (phone numbers, addresses, manager, photos, custom claims) and does not synchronise the wider user directory back to Showell. If your organisation needs additional fields (for example Company or Phone) to flow from your identity provider into Showell, this can be configured as part of the SSO setup; please discuss the required claims with your Showell contact person.
  • The user's identity provider remains the source of truth. Deprovisioning a user in your IdP immediately prevents them from signing into Showell.
  • Compliance with privacy regulations such as GDPR, CCPA, and ISO 27001 is maintained, ensuring personal data is handled responsibly. Users can exercise their data subject rights (access, rectification, deletion) by contacting Showell support.
  • We retain user data only as long as necessary to provide the service and comply with legal requirements.

 

 

5. Tracking and Logging

Showell logs sign-in attempts (successful and failed) within the Showell App for security and audit purposes. These logs are accessible to authorised personnel only and are protected through encryption and access-control measures.

Authentication errors are logged with Sentry.io, helping us identify and address issues promptly without collecting personal data.

 

 

6. Security Measures

Additional security measures are in place to safeguard the integration:

  • Regular Security Audits and Penetration Testing: Conducted in compliance with ISO 27001 standards, including regular monitoring and logging to check the effectiveness of procedures and controls. Important logs are reviewed monthly, and violations are reviewed within one business day.
  • Secure Development Practices: Adhered to throughout the development lifecycle.
  • Certifications and Standards: Compliance with standards such as ISO 27001 to ensure robust security practices.

 

 

7. Incident Response

In the event of a security breach, Showell has a comprehensive incident response plan:

  • Identification: The incident is detected, reported, and verified by the Security Response Team (SRT).
  • Assessment: The SRT examines the incident, logs details, evaluates risks, and categorizes the incident type.
  • Response: The SRT acts to control the incident, secures evidence, and reports to law enforcement if necessary. Post-incident analysis is conducted to prevent future occurrences.

The SRT, composed of the CTO, CISO, senior management, customer support, IT, and Product Development team members, is responsible for investigating and responding to incidents. The team ensures compliance with relevant laws and conducts post-incident reviews to implement remedial actions.

 

 

8. Contact Information

If you have any questions or concerns about this security overview or the handling of your information, please contact your Showell contact person or Showell support.

 

💡 Summary (TL;DR)

SSO lets your users sign into Showell with your organisation's existing identity provider, delegating authentication (and MFA) entirely to your IdP.

  • Protocol: OpenID Connect (OIDC). Works with Entra ID / Azure AD, Okta, Google Workspace, OneLogin, Auth0, and other standard OIDC providers.
  • Authentication and Authorization: Showell never sees user passwords. The IdP authenticates the user and returns a signed token; Showell validates that token using the configured client secret. MFA is delegated to your IdP.
  • Data Encryption: OIDC token exchange uses HTTPS. Showell's database (including stored secrets and tokens) is encrypted at rest using AES-256. Hosted on AWS in Europe.
  • Data Handling and Privacy: Showell stores only email, display name, group ID, locale, and the OIDC token. Nothing more. Deprovisioning in your IdP immediately blocks sign-in to Showell. Complies with GDPR, CCPA, and ISO 27001.
  • Tracking and Logging: Sign-in attempts are logged for security and audit. Errors are logged via Sentry.io without storing personal data.
  • Security Measures: Regular security audits and penetration testing. ISO 27001 alignment.
  • Incident Response: Comprehensive plan with identification, assessment, and response by the Security Response Team.