Enboarder has Single Sign On (SSO) capabilities for both the 'Admin' accessing the platform, as well as the participants' in a workflow (i.e. managers accessing a sequences with content). This article will explain how to setup SSO access for Admins.
So...we can setup SSO, but what are the actual benefits?
If you setup SSO capabilities in Enboarder, you can create a seamless login experience for your Admins. Some examples of benefits include:
- No need to create an account using a name and email ID
- Ability to choose which employees can access the account and with what role (Administrator, Restricted Admin, Restricted Content Admin, etc.) can be controlled by your SSO administrator and not need to be done within Enboarder
- If an employee who was an Enboarder admin user leaves your company, the user can easily have access removed
- Users who are set up as admins for Enboarder with SSO don't need to remember a username and password
How does SSO work?
SSO setup is meant to work as soon as the settings are configured in both your SSO system and within Enboarder. Total setup time generally spans from a few days to a couple of weeks.
Although SSO is via SAML 2.0 standard, there are a few factors that could make the setup take longer:
- There are multiple SSO-products in the market, all which usually differ to some degree
- There are a couple of options in setup that your IT and business-team can consider before deciding on the best approach for your business (explained below)
- SSO configuration has to be done on both Enboarder and the Customer account's in parallel
Steps to activate SSO
1. Collect SSO setup information from Enboarder
To enable SSO in Enboarder, navigate to Settings > Security and Privacy tab and click 'Set up SSO security' to start to configure the SSO parameters. (Please note, if you don't see SSO, let your Customer Success Manager know - they need to activate it on your account).
Capture the details below. These will be used by the SSO-Admin to setup SSO on your company's SSO system.
The fields shown below will need to be filled in with data from your company's SSO system.
2. Create an Enboarder application in your SSO system account
Using the information from Enboarder
Your SSO admin will use the values shown in Enboarder's SSO Settings Dialog page (shown above) to set up an application for Enboarder's admin application and call it something like 'Enboarder Admin' in your SSO system.
3. Define who has access to be an Enboarder Admin
There are 3 options here:
Option A: Defining individual users
Here is a sample showing the application with name 'dev.enboarder.net' being assigned to a single user in the SSO system, OKTA:
Option B: Defining groups
Here is a sample showing the application with name 'dev.enboarder.net' being assigned to a group 'admin' in the SSO system, OKTA:
Option C: Access to everyone
This option gives complete control to the SSO admin of the account to add and remove users, as well as allowing to change their roles to access Enboarder within your SSO system.
- Assign/ manage roles of users through your Enboarder account's SSO attributes
2. Create attributes for the user, such as 'Enboarder_Admin_Role', setting up different roles for different admin access levels
The below items highlight additional use cases to consider beyond the basic SSO setup process.
SSO when accessing content requiring authentication
When stakeholders access content that requires authentication (such as clicking the left top hamburger menu, when accessing a password protected sequence or when completing form signature widget), they will have the option of using SSO instead of a pin and password if their account is set up with SSO.
In order to use SSO for stakeholder authentication, the below steps are required:
- All employees should be given access to the Enboarder application in your SSO system. By doing this, all stakeholders will be able to use SSO.
- For accounts that are configured with Just In Time provisioning, only Enboarder admin users should be given a role attribute that matches one of the roles defined like ‘Super Admin’, ‘General Admin’, etc.
- For accounts that don't use Just In Time provisioning (where admins are created in Enboarder), the configuration will need to look like the below examples:
SSO Login URLs For Enboarder Admin's
In general, SSO login URLs are not user friendly like https://apple.com/enboarder or searchable on search engines like Google. This is just for basic security reasons.
There are two options of URL's to choose from:
- An SSO login URL from Enboarder's SSO admin settings:
2. A URL that is generated by your account's SSO system
NOTE: If you wish to make the URLs more user friendly, you can request your company's network team to make necessary changes
SSO from a Parent and Child Enboarder account perspective
If you are using one global SSO system, and there are many accounts in Enboarder corresponding to aspects (brand, location etc.), then you have two options.
One SSO configuration in the parent account
If you wish to configure SSO once, and have this used across all of your accounts, then this is possible! Configure SSO as per above in the parent account. Once completed, after navigating to the Settings > Security section, tick the box to 'Authenticate sub-account admins with SSO from this page'.
Multiple SSO instances for each account
Let's give the accounts names such as 'Enboarder Inc', 'Enboarder NA', 'Enboarder EU' and 'Enboarder APAC'.
The SSO setup is as usual, which was explained in the above steps, however this time there will be 4 accounts in Enboarder, each account needing to have its own SSO settings showing in Enboarder.
The SSO admin of Enboarder Inc can setup SSO in their SSO system as we've run through above.
However, the SSO SP (Service Provider) ie. Enboarder's SSO details have to be unique for each of the 4 accounts.
You will need to setup 4 applications in your SSO system, e.g. 'Enboarder Central', 'Enboarder NA', 'Enboarder EU', 'Enboarder APAC'.
The SSO settings have to be completed in all 4 accounts in Enboarder.
The SSO IdP (Identity Provider) ie. account SSO's details will be unique for each of the 4 accounts.
For any questions and assistance, please reach out to your Customer Success Manager.