If you would like to have users sign-in through the systems you already employ, you can do that by setting-up SSO through SAML.
In this article, we will go over the below:
- Pros & Cons
- What is SAML SSO?
- How does it work?
- What are the different types of SAML SSO?
- How to set-up SAML
- What will SAML SSO login look like?
- User does not have to remember multiple passwords as this leverages their existing work logins
- Can be connected with Active Directory (AD) so Administrator doesn’t have to worry if user a is terminated
- Can take longer to set up if the IT team is not prepared ahead of time
- Users are not grouped accordingly unless the groups match those in the Active Directory or the same list is Preloaded in advance to PostBeyond
What is SAML SSO?
SAML SSO is the process of authenticating a user for a service provider via a third party decided upon by the customer.
Users will authenticate themselves via an identity provider service (IDP) chosen by the customer who then confirms to PostBeyond that the person attempting to log into that account is in fact who they say they are.
How does it work?
- Users visit their PostBeyond instance login page.
- There, they click to be taken to the IDP (Identity Provider). We send information to the IDP notifying them where the user is sent from. This is done in order to ensure that once a user has fulfilled whatever terms they need in order to be authenticated they are sent back to the service provider (PostBeyond).
- Users are authenticated by the IDP by any methods they have set up for authentications.
- Once their identity is confirmed they are rerouted back to PostBeyond along with the appropriate SAML token confirming their identity validation request from the IDP along with any other necessary information about that user (name, email address, possibly group). If the user is signing in for the first time using SSO, we check to see if the user exists (based on email address sent). If not, we create it in the database and add the user to the instance.
What are the different types of SAML SSO?
- Manual Group Management - requires admins to manually group users after they have signed on for the first time.
- Groups set-up one time before customer launch - this requires customer to be bulk uploaded a list of users with groups. Subsequent regrouping or grouping of any new users would be done manually.
- SAML Auto-sync - groups automatically sync-up according to customer directory - not yet completed by PostBeyond.
- Master SSO - SSO for enterprise customers on multiple instances
- SLO - Single log-out which forces users to be logged out of other apps authenticated by
How to set-up SAML
In order to set-up SAML SSO make sure to contact your CSM.
Your team will need to complete the below file - please ask your CSM for the file:
**Highlighted in ORANGE is what your team will need to complete**
- Single Sign On Service endpoint:
- Logout Service endpoint:
- X.509 Cert
What does PostBeyond team complete?
- Assertion consumer service endpoint - address where user initially goes to before redirecting to IDP (The URL in the button).
- Logout Service endpoint - same as Assertion consumer service endpoint since we don’t currently force user logout of other services when they log out of PostBeyond.
- Entity ID – unique identifier for the IDP to the application (in this case PostBeyond) - allows customer IDP to redirect correctly.
- Login URL – sign-in page for that particular instance which starts the SAML SSO process.
- Required Attributes – these are the specific attributes we require in order to be able to create and verify accounts. Attribute names can be changed to match however your team sends them over. PostBeyond requires at least the following three attributes:
- givenname – user first name
- surname – user last
- emailaddress – user email address
- We can accept additional attributes upon request (group name, status). These can be synced based on the customer directory
Once this document is completed - the PostBeyond team will finalize the process and your SAML SSO will be complete!
What will SAML SSO login look like?
When this is completed, your users will login to a similar sign-in page to that shown below: