Skip to content
English
Sign in
Go to safetynetsolutions.co.uk
  • There are no suggestions because the search field is empty.

How SKYVISITOR.CLOUD Uses Logto Enterprise SSO for Secure Client Authentication

SKYVISITOR supports Enterprise Single Sign‑On (SSO) via Silverhand’s Logto platform, enabling customers to authenticate users through their existing corporate Identity Provider (IdP). This KB article explains how it works and what benefits it provides.

What Is Enterprise SSO?

Enterprise SSO allows users to sign into multiple workplace applications using a single identity, eliminating the need for separate usernames and passwords.

Logto provides a secure, standards‑based SSO bridge using SAML and OIDC protocols.

SKYVISITOR.CLOUD supports Enterprise SSO using LogTo open standards for authentication and authorisation for a single monthly subscription fee per domain.

Click this link for further info directly from LogTo

Which Identity Providers Are Supported?

SKYVISITOR (via Logto) supports:

  • Microsoft Entra ID
  • Google Workspace
  • Okta
  • Any SAML‑compliant provider
  • Any OIDC‑compliant provider

Logto includes built‑in connectors for common IdPs and supports custom configurations for others.

Key Features SKYVISITOR Clients Benefit From

1. Domain‑Based Auto‑Routing

Users are automatically sent to the correct IdP based on their email domain (e.g., @client.com).
This eliminates login confusion and improves user experience.
[docs.logto.io]

2. Just‑in‑Time User Provisioning (JIT)

New users are automatically created in SKYVISITOR when they sign in for the first time via SSO — no administrative setup required.
[docs.logto.io]

3. SP‑Initiated and IdP‑Initiated Login

SKYVISITOR supports both:

  • Starting login from SKYVISITOR (SP‑initiated)
  • Launching SKYVISITOR from the organisation’s central portal (IdP‑initiated)

This matches enterprise user workflows and security practices.
[logto.io]

4. Strong Security & Compliance

Enterprise SSO allows clients to enforce:

  • MFA
  • Passwordless authentication
  • Centralised access policies
  • Rapid access removal

Logto’s architecture ensures centralised control and simplifies compliance support.

Logto is also SOC 2 Type II certified.

Why SKYVISITOR Chose Logto

Logto offers:

  • Robust enterprise security features
  • Seamless integration with modern and legacy IdPs
  • Low‑code setup
  • Smooth user flows tailored to enterprise environments
  • Proven support for large‑scale SaaS applications

This makes Logto the ideal choice for powering SKYVISITOR’s Enterprise SSO capabilities.

Need Help Setting Up SSO?

Our implementation team can assist with:

  • IdP configuration
  • Metadata exchange (SAML)
  • Redirect URI setup
  • Domain routing configuration
  • Testing and validation

Please contact SKYVISITOR Support to begin your SSO onboarding / check out the GET STARTED STEPS below:

GET STARTED STEPS:

IMPORTANT! Confirm that you use the user's EMAIL address as the unique identifier. 
If you do not use email as the unique identifier, it is important that you notify us asap.

OIDC USING ENTRA 

SETTING UP FOR SSO USING ENTRA AS YOUR IdP

1. Please complete this form.
This will simply ask for the details for your named Tech Contact(s)*, the domains* you would like to link with your SkYVISITOR db and your External IP(s) for whitelisting.
(Please note that your External IPS are only require if you are using the SKYVISITOR Windows Apps).

2. Once received, we will commence set up OF YOUR DATABASE ON SKYVISITOR.CLOUD and return you a unique URL.

3. Once you have this, you be able to Set up the LogTo App in your Entra Admin Portal.
Please follow this link for the set up instructions to register the LogTo App in your Entra Admin portal. (Previously Active Directory) 

4. Once this is set up, please provide us with the following IDs from your App Registration.
As this is sensitive information, you will liaise directly with ross.worth@aptivy.co.uk to provide this.

  • Application (Client) ID 
  • Client Secret: Value:  
  • Secret ID: 
  • Endpoint - OpenID connect:
From this, we will complete your registration for SKYVISITOR.CLOUD and notify when your access is ready.

You must be on the SKYVISITOR.CLOUD platform to use this feature. 
If you are currently on skyvisitor.com, we will arrange this migration to skyvisitor.cloud, with you.

--------------------------------------------------------------------------------------------------------------------
FAQS

  • HOW ARE NEW  USERS HANDLED?

ROLE TEMPLATES & LOCATIONS:

We will agree a user template profile with you for default New Users on SSO Sign in. This will cover Locations, and permission sets.

It is most common to default this to least access, least permission and escalate / enhance on a case by case basis internally, when required.
On first login a New User will be created and access access will be to the pre agreed SSO template and your System admins will be able to add additional permissions to other users, including creating other Administrators.

  • Can I have multiple templates?
    Yes.     If you are operating SKYVISITOR over multiple sites and want to restrict certain users to certain sites, or specific permission sets, we can set up predefined templates to accommodate this via mapping. 
    This is subject to a shared identifier in your Entra User's Profile which we can read.
    You may also have multiple templates based on different Domains.

  • What if I have a Group Domain?
    If your domain is shared across a group however, nhs.net, propertymanagementco.com, school within MATrust we would need to identify a property in your Entra User Profile (Groups?) to determine where they should be directed.
    This would be arranged with you before activation.

  • WHAT ABOUT EXISTING USERS?
    I.E. You previously used local login (username and password) but want to switch to SSO. 
    If you are already using SKYVISITOR and want to start to use SSO - we will carry out the following steps for migration and preparation to ensure a smooth handover.

    • The SKYVISITOR TEAM will run a data check to confirm that your existing users have their Company email address in their profile, matching your requested domain(s) .
    • This will be then used to map the newly logged in user from the email address they have logged in with, to the pre-existing 'local login user'
    • This script will also deactivate the local login for the user - ensuring access is only via your chosen IdP.
    • Any previous assigned Permission Group, and all past and future bookings are then unaffected. 
  • If you are migrating from .com to .cloud there will be a change in url for your users.we will provide comms for you to distribute.
    The database will be moved from the .com azure instance to the updated .cloud Azure instance. There will be no risk of them logging in to the wrong database.


  • WHAT HAPPENS IF A USER CHANGES / UPDATES THEIR EMAIL ADDRESS?

    For instances where a user has a change in email address e.g. amie.slater@safetynetsolutions.co.uk -> amie.rolfe@safetynetsolutions.co.uk,bydefault the system will see this as a new user and will provision a new user within SkyVisitor next time they attempt to log in.
    If you/they update their email address in their SKYVISITOR profile in advance, it will automap.
    If they have logged in without update, or this has not transpired, and as a result they now have 2 profiles, simply contact us on helpdesk and ask for a ticket to be raised to merge their 2 profiles.

  • CAN WE USE THIS AS AN OPPORTUNITY TO START WITH FRESH DATA?
    Absolutely. We can build you a brand new set up. You can retain your old data as archive (SQL Copy or Xlxs export), or we can retain in Azure renamed \archive. This will carry a minimal storage fee.
NOTE: OKTA / SAML IdP - please contact us for set up instructions

Linked Articles:
SSO Overview;
https://faqs.safetynetsolutions.co.uk/en/knowledge/brief-overview-of-sso-for-skyvisitor

Tech Info SKYVISITOR.CLOUD