Single Sign-On (SSO) provides the ability for Content Administrators to log into the SnapComms Platform using company credentials rather than a SnapComms username and password. There are two types of authentication that can be used for SSO: the first is logging in with company ID via a SAML Identity Provider; the second is logging in with a Microsoft account via Microsoft Azure Active Directory. This article describes the first type of authentication.
The SnapComms Content Manager and Mobile App SSO will ideally work with Identity Providers that support SAML 2.0. Refer to a sample IdP setup for Azure or Okta.
After setup, ensure to test enabling and review the troubleshooting notes for issues.
SETTING UP SAML-BASED SSO
To set up Single Sign-On using a SAML Identity Provider, go to Management >> Integrations and click on Single Sign-On (SSO).
Enter the details in the Identity Provider (IdP) section as per your IdP's settings including the certificate (.cer) file from your Idp. If the IdP does not support a static metadata URL, click on the Use Identity Provider Metadata File toggle and upload the metadata (.xml) file from your IdP.
The metadata URL required for setting up SnapComms as a Service Provider (SP) in your IdP can be found at the bottom of the IdP settings section.
We highly recommend using the SnapComms metadata URL whenever possible. If you must import our metadata file manually to your identity provider, please make sure to download an updated version of the file and re-import it to your identity provider at least thirty days before the certificate expiration.
If a separate SnapComms certificate is required, contact our Tech Support Team at firstname.lastname@example.org
Single Sign-On can be used by administrators to access the Content Manager or by end users to log in to the SnapComms mobile app.
Enabling the Allow Identity Provider users to access the Content Manager toggle will allow for authorized users to be made an administrator account in SnapComms. Enter the email domain of your Company so when users login to the Content Manager using Company ID, they will be redirected to your IdP.
Note: SnapComms support only one domain name value for Content Manager SSO validation.
Follow the instructions below to authorize users logging in using SSO as SnapComms Administrators. Make sure that users to be authorized as Administrators exist as a user in the SnapComms platform. To check, go to Users & Groups >> Users.
Save the IdP Configuration
Go to Users & Groups >> Groups
The SSOAdminGroup is automatically created; click on the SSOAdminGroup
Add existing users who should be made administrators to this group.
When the email address of the person trying to login to the Content Manager using SSO matches the email address of a member of the SSOAdminGroup, if the email has not been used as an administrator username, a new Administrator account will be created with a Credential Type of SSO. New automatically created administrators will have all the publishing and targeting permissions but no management access. Setting permissions for administrators is discussed in our Creating Administrators and Setting Permissions article.
Note: User and Administrator accounts are managed separately. Once an Administrator account has been created, removing the matching user from the SSOAdminGroup will not disable the Administrator account.
If an SSO Administrator is not able to log in via the 'Login with Company ID' button, check the following:
- From Administrators page > change 'Status' filter and add 'Pending' and 'Inactive', ensure the new SSO admin account is set as active
- Check that a user account exists on the User page and that the email address and mobile username fields are populated (the value should be the same as the SSO admin username/email address)
- From the Groups page, check the 'SSOAdmin Group' and ensure the user account is added to this group
- A new SSO admin account will have minimum Content Manager permissions, admin settings and access will have to be reviewed and granted (along with assigning First Name and Last Name)
ENABLING SSO FOR MOBILE APP
Enabling the Allow Identity Provider users to access the SnapComms mobile App toggle will allow for users to access the SnapComms iOS and Android apps using their company credentials.
Clicking on the Click here to view mobile App settings link will take you to the Mac & Mobile Settings page.
USING SSO TO LOGIN TO THE CONTENT MANAGER
SnapComms currenly supports SP-initiated SSO. To login, from the SnapComms login page, click the Log in with Company ID button.
Enter the company email address matching the email domain defined in the configuration previously saved. Click Continue to start the login workflow in the IdP.