After reviewing Understanding Single Sign-on (SSO) Through SAML and making the decision to move forward with implementing this login, it is time to set-up SAML SSO.
If you are using OKTA as the IdP, please see Setting up SAML SSO (OKTA IdP)
Steps to set-up SAML
Step 1: Notify PostBeyond that you would like to proceed with SAML SSO set-up so that they can turn on the feature.
Step 2: PostBeyond team to provide you with the metadata file
The moment the admin notifies the CSM that they want SAML SSO, the feature is turned on and the below information will become available on the instance.
The information in the metadata file that the company's IT team will need to complete the process of verifying the Service Provider (PostBeyond) will include:
Assertion Consumer Service endpoint
Step 3: Admin to send PostBeyond Metadata, Certificate & Attributes
Please send PostBeyond the 3 items:
Certificate (sometimes located in the metadata file)
Attributes (user First Name, Last Name, Email)
Attention to those using Microsoft Azure: We've noticed a configuration in the MS Azure IDP that is preventing users who are on Internet Explorer (and a combination of other factors in the user's environment, potentially including device type) from logging in via SSO.
If you know that your users might be impacted, we have two solutions that can be implemented:
PostBeyond can remove the RequestedAuthnContext from the SAML request. This would be relaxing the security protocol to verify users from the PostBeyond side, but there would still be a level of security of verifying the user from the IdP (Microsoft).
PostBeyond can make a change that would force the user to log in with the IdP (Microsoft) every time they try to access PostBeyond. There would be no security impact (i.e., we wouldn't be relaxing any validations), but this could have a negative impact on the user experience.
We recommend you send this to your IT team to determine the best course of action. We do believe that Option 1 is the best user experience and is still secure but understand that Option 2 may be required. Please contact your CSM with questions and how you want to move forward.
Step 4: PostBeyond to Complete the Process Internally
The PostBeyond team will finalize the process and provide the customer with an expected date of completion. This process can take up to 3 weeks to complete as it needs to be funnelled into our sprint.
Once the admin is notified that the set-up is complete, the login page will have the option for users to login via SSO:
Step 5: Testing & Troubleshooting
Immediately after the process is completed, make sure to test logging in via SSO. Read this article should you experience any issues with this new login option.
Step 6: Set-up SSO Default Group
Once you've completed your set-up, we encourage that you create an SSO group for PostBeyond user accounts that are generated from logging into via SSO. To learn more, please see Default Group for SSO Generated PostBeyond Accounts.