Enboarder has Single Sign On (SSO) capabilities for Admins accessing the platform, as well as the stakeholders' in a workflow (i.e. managers accessing a sequence with content).
So... We can set up SSO, but what are the actual benefits?
If you set up SSO capabilities in Enboarder, you can create a seamless login experience for your Admins and Stakeholders alike!
No need to create another account using a name and email ID
The ability to choose which employees can access the account and with what role plus, this can be controlled by your SSO administrator and not need to be done within Enboarder!
If an employee who was an Enboarder Admin leaves your company, the user can easily have access revoked
Before you begin: Like anything worth doing, integrations take time. Please allow up to 4 weeks for this integration to be completed, this includes time for scoping, development and testing. You’ll also need to have a system expert and/or system administrator to assist in the completion of this integration.
How does SSO work?
SSO should work as soon as the settings are configured in both your SSO system and within Enboarder. (Total setup time is generally a few days but can spend up to a couple of weeks.)
Although SSO is via SAML 2.0 standard, there are a few factors that could make the setup take longer:
There are multiple SSO-products in the market, all of which usually differ to some degree (Our example below is using Okta)
There are a couple of options in the setup that your IT can consider before deciding on the best approach for your business (explained below)
SSO configuration has to be done on both Enboarder and the Customer account's in parallel
Usually, it takes a week or two from the time you use our documentation and configure your setup.
If you have issues, you can share the screenshots of your setup in your SSO application (such. as Okta, Microsoft Azure, or Active Directory, etc) with your Customer Success Manager, so that Enboarder’s technical team can take a look.
If you're still unable to resolve this, your Customer Success Manager will liaise with you to set up a video call with your technical team and Enboarder.
Steps to activate SSO
1. Collect SSO setup information from Enboarder
To enable SSO in Enboarder, navigate to Settings > Security and Privacy and click 'Set up SSO Security' to start to configure the SSO parameters. (Please note, if you can't see the SSO option, let your Customer Success Manager know - they need to activate it on your account).
Capture the details below. These will be used by the SSO-Admin to setup SSO on your company's SSO system.
The fields shown below will need to be filled in with data from your company's SSO system.
2. Create an Enboarder application in your SSO system account
Using the information from Enboarder
Your SSO Admin will use the values shown in Enboarder's SSO Settings Dialog page (shown below) to set up an application for Enboarder's admin application and call it something like 'Enboarder Admin' in your SSO system.
3. Define who has access to be an Enboarder Admin
There are 3 options here:
Option A: Defining individual users
Here is a sample showing the application with the name 'dev.enboarder.net' being assigned to a single user in the SSO system, OKTA:
Option B: Defining groups
Here is a sample showing the application with the name 'dev.enboarder.net' being assigned to a group 'admin' in the SSO system, OKTA:
Option C: Access to everyone
This option gives complete control to the SSO admin of the account to add and remove users, as well as allowing them to change their roles to access Enboarder within your SSO system. (This will also be used to provide stakeholder access to locked sequences and SSO login to My Dashboard)
2. Create attributes for the user, such as 'Enboarder_Admin_Role', setting up different roles for different admin access levels
The below items highlight additional use cases to consider beyond the basic SSO setup process.
SSO when accessing content requiring authentication
When stakeholders access content that requires authentication (such as clicking the My Dashboard ☰ menu within content, when accessing a password-protected sequence or when completing form signature widget), they will have the option of using SSO instead of a pin and password if their account is set up with SSO.
Providing access to all stakeholders
In order to use SSO for stakeholder authentication, the below steps are required:
All employees should be given access to the Enboarder application in your SSO system. By doing this, all stakeholders will be able to use SSO.
For accounts that are configured with Just In Time provisioning, only Enboarder admin users should be given a role attribute that matches one of the roles defined like ‘Super Admin’, ‘General Admin’, etc.
For accounts that don't use Just In Time provisioning (where admins are created in Enboarder), the configuration will need to look like the below examples:
SSO Login URLs For Enboarder Admin's
In general, SSO login URLs are not user-friendly like https://apple.com/enboarder or searchable on search engines like Google. This is just for basic security reasons.
There are two options of URLs to choose from:
1. An SSO login URL from Enboarder's SSO admin settings:
2. A URL that is generated by your account's SSO system
NOTE: If you wish to make the URLs more user friendly, you can request your company's network team to make necessary changes
SSO from a Parent and Child Enboarder account perspective
If you are using one global SSO system, and there are many accounts in Enboarder corresponding to aspects (brand, location, etc.), then you have two options.
One SSO configuration in the parent account
If you wish to configure SSO once and have this used across all of your accounts, then this is possible! Configure SSO as per above in the parent account. Once completed, after navigating to the Settings > Security section, tick the box to 'Authenticate sub-account admins with SSO from this page'.
Domains allowed for SSO in workflows
This setting allows you to set the domains that can utilise SSO when a stakeholder or employee is launched into a workflow and then navigates to their profile. Multiple domains can be entered in a comma-separated format and should be in lowercase only.
Multiple SSO instances for each account
Let's give the accounts names such as 'Enboarder Inc', 'Enboarder NA', 'Enboarder EU' and 'Enboarder APAC'.
The SSO setup is as usual, which was explained in the above steps, however, this time there will be 4 accounts in Enboarder, each account needs to have its own SSO settings showing in Enboarder.
The SSO admin of Enboarder Inc can setup SSO in their SSO system as we've run through above.
However, the SSO SP (Service Provider) ie. Enboarder's SSO details have to be unique for each of the 4 accounts.
You will need to setup 4 applications in your SSO system, e.g. 'Enboarder Central', 'Enboarder NA', 'Enboarder EU', 'Enboarder APAC'.
The SSO settings have to be completed in all 4 accounts in Enboarder.
The SSO IdP (Identity Provider) ie. account SSO's details will be unique for each of the 4 accounts.
For any questions and assistance, reach out to the Support team by clicking the '?' button at the top right corner of any Enboarder page.