Single Sign-On Using Company ID

OVERVIEW

SAML Single Sign-On (SSO) provides the ability for Content Administrators to log into the SnapComms Platform using company credentials rather than a SnapComms username and password. There are two types of authentication that can be used for SSO: the first is logging in with company ID via a SAML Identity Provider; and the second is logging in with a Microsoft account via Microsoft Azure Active Directory. This article describes the first type of authentication.

The SnapComms Content Manager and Mobile and MAC Apps SSO will ideally work with Identity Providers that support SAML 2.0. Refer to a sample IdP setup for Azure, Okta, or ADFS.

After setup, ensure to test enabling and review the troubleshooting notes for issues. 
   

SETTING UP SAML-SSO

To set up Single Sign-On using a SAML Identity Provider, go to Management >> Integrations and click on Single Sign-On (SSO).
Enter the details in the Identity Provider (IdP) section as per your IdP's settings including the certificate (.cer) file from your Idp. If the IdP does not support a static metadata URL, click on the Use Identity Provider Metadata File toggle and upload the metadata (.xml) file from your IdP.

The metadata URL required for setting up SnapComms as a Service Provider (SP) in your IdP can be found at the bottom of the IdP settings section.

We highly recommend using the SnapComms metadata URL whenever possible. If you must import our metadata file manually to your identity provider, please note that SnapComms SAML SSO certificate renews yearly, which may break the trust between SnapComms and your Identity Provider. We recommend setting a calendar reminder to redownload the Metadata from the SnapComms Content Manager to reload the new certificate into ADFS. Download the new certificate from ADFS, rename the .CER file, and re-upload into SnapComms. SnapComms also expects SHA256 certificate. We also recommend passing the User Principal Name from your IdP as the name attribute as the system uses UPN to match and validate an existing SnapComms user.

Single Sign-On can be used by administrators to access the Content Manager or by end users to log in to the SnapComms Mobile and MAC Apps.
   

ENABLING SSO FOR CONTENT MANAGER

Enabling the Allow Identity Provider users to access the Content Manager toggle will allow for authorized users to be made an administrator account in SnapComms. Enter the email domain of your Company so when users login to the Content Manager using Company ID, they will be redirected to your IdP

Follow the instructions below to authorize users logging in using SSO as SnapComms Administrators. Make sure that users to be authorized as Administrators exist as a user in the SnapComms platform. To check, go to Users & Groups >> Users.

1. Save the IdP Configuration

2. Go to Users & Groups >> Groups

3. The SSOAdminGroup is automatically created; click on the SSOAdminGroup

4. Add existing users who should be made administrators to this group.

When the email address of the person trying to login to the Content Manager using SSO matches the email address of a member of the SSOAdminGroup, if the email has not been used as an administrator username, a new Administrator account will be created with a Credential Type of SSO. New automatically created administrators will have all the publishing and targeting permissions but no management access. Setting permissions for administrators is discussed in our Creating Administrators and Setting Permissions article.

Note: User and Administrator accounts are managed separately. Once an Administrator account has been created, removing the matching user from the SSOAdminGroup will not disable the Administrator account.

USING SAML SSO TO LOGIN TO THE CONTENT MANAGER

SnapComms currenly supports SP-initiated SSO. To login, from the SnapComms login page, click the Log in with Company ID button.

Enter the company email address matching the email domain defined in the configuration previously saved. Click Continue to start the login workflow in the IdP.

Troubleshooting notes:

If an SSO Administrator is not able to log in via the 'Login with Company ID' button, check the following:

1. From Administrators page > change 'Status' filter and add 'Pending' and 'Inactive', ensure the new SSO admin account is set as active
2. Check that the name attribute being passed by your IdP is the UPN, as the system uses UPN as the primary matching criteria. Check that a user account exists on the User page and that the UPN format is the same value being passed from your IdP
3. From the Groups page, check the 'SSOAdmin Group' and ensure the user account is added to this group
4. A new SSO admin account will have minimum Content Manager permissions, admin settings and access will have to be reviewed and granted (along with assigning First Name and Last Name)

ENABLING SSO FOR MAC AND MOBILE APPS

Enabling the Allow Identity Provider users to access the SnapComms mobile App toggle will allow users to access the SnapComms MAC and Mobile Apps using their company credentials. 

Clicking on the Click here to view mobile App settings link will take you to the Mac & Mobile Settings page.