Single Sign On FAQ
What does the flow look like from the Advocate point of view?
The flow for the advocate is as follows:
- Navigate to the AdvocateHub URL
- There are two scenarios:
- If they have previously logged in to your portal and the cookie is still present in the browser then they will be brought directly to the AdvocateHub.
- If they have not previously logged in and have no cookie they will be invited to enter their login credentials to your platform, upon successful entry of these, they will be brought to the AdvocateHub.
Note: If an Advocate is already signed up to another AdvocateHub with that same email address then there is one additional step in the flow. After they successfully enter their credentials into the customer portal, they will see a message like below. An email will be sent to the Advocate which will include a link which they just have to click on and they will be brought straight into the hub.
How do invites work with SSO?
Using SSO creates some small differences in how you should approach the invitation process and how you work with Nominees. In this section we will dive into this further.
We have a couple of options here:
1. You can invite your Advocates through the CSV method where you can upload a CSV file containing your Advocates and add them to specific groups prior to inviting them. You can read about this in more detail here. However there is one further thing here that is very important to note. The invite must be sent from the hub and they must follow the link in this invite because the advocate will encounter permission issues.
2. If you can set up your targeting prior to asking Advocates to join then you can simply direct them to your hub URL and they will be directed to enter their credentials and an account will be created for them immediately and any targeting that applies to them will kick in and they will be allocated to the applicable groups.
An example of this would be if you wanted your Employees to go into a certain group you could follow these steps, using Influitive as the company for the example:
- Create a group 'Employee'
- Set the targeting to make this group targeted to anybody who has '@influitive.com' in their email address
- Notify the new user of your program by email and inform them to navigate to the URL of the AdvocateHub in order to join up
- Once they access the URL then they will go through the sign up process and become an Advocate upon successful completion
- Once they become an Advocate then they will immediately be in the 'Employee' group
Another thing to note is that join codes/invite URL's will not work in conjunction with SAML. If an Advocate uses an invite URL they will still be able to access the hub and an account will be created for them. However, they will not be put into the group the invite URL was associated with, they will instead just have an account created and put in the starter group by default. This is not the case with Oauth.
Things To Think About If Implementing SSO On An Active Hub
If your hub is up and running and has many Advocates already joined up this could cause some issues that can be overcome with some preparation and thought.
Let's take this example, if I have signed up to your AdvocateHub using the email address email@example.com but the email address I use for your product or portal is firstname.lastname@example.org.
In this case I try to access the hub and am directed to your product or platform to complete the login process. I enter email@example.com and my password and enter the hub successfully but now I will have a brand new account setup as the AdvocateHub did not have an email address firstname.lastname@example.org present, it was looking for email@example.com.
What can you do to prepare for this?
We recommend coming up with a strategy of sending communications to your Advocates notifying them of this changeover and letting them know they have to update their email address to match whatever email address they use to access your product or platform. You can do this through email blasts or with a challenge or a combination ideally to try and catch as many people as possible. If Advocate's fall through the cracks we can fix this up for you by merging the duplicate accounts including points and badges but this may take some time to do.
Another method you could use to preempt this issue is to gather all the email addresses of your Advocates in the AdvocateHub and then check them against the email addresses in your database. If there is no match for an email address then you can create an account in your database with this email address. This way the person can continue to use the email address they have been using in the AdvocateHub and no duplicate Advocate accounts will be created
Can I have Employees access the AdvocateHub via SSO but Customers access using the traditional method? [SAML Only]
No, anybody who has an account setup in the platform you are utilizing SSO in will be able to access the AdvocateHub. This is a case of all or nothing. If you want to use SSO then everybody has to login using it. So for example if you have employees who have accounts in your portal they can login through SSO, but if you have customers who don't have an account in your portal they have no way to login when SSO is enabled in your AdvocateHub
If this is something you require it may be possible through a custom setup so get in touch with us at firstname.lastname@example.org and we can work on a solution
Where are the 'Terms and Conditions' housed when using SSO?
If it is important for you to present advocates with your terms and conditions prior to them logging into the Advocatehub then you can do this easily:
You can set the Terms & Conditions under Settings > Advocate Program > Sign-In. Simply enter your desired Terms & Conditions and toggle 'on'
Once you have this configured, save it and navigate to your AdvocateHub URL where you should be greeted with the Terms & Conditions and a chance for the advocate to accept and continue to log in.
How does the Maven app work with SSO?
The process is as seamless on the Maven app as it is on your desktop. Let us have a look at the flow when logging in to an SSO enabled AdvocateHub;
1. Opening the Maven app, you will be greeted with a screen like below. The advocate can hit any of the social sign in buttons in order to access the AdvocateHub as long as they have associated any of them previously with their advocate profile. They will be instantly brought to a list of the AdvocateHubs they have access to. The advocate can also enter the email address associated with their AdvocateHub account and hit Continue which will take them to another screen before they can see their list of AdvocateHubs.
2. If the advocate has no social authentications tied to their account and have entered their email address then they should see this option below, here they will have to send a sign in link to their email address. They should instantly receive an email with a link that they will need to follow.
3. Once they follow the link they receive they will be brought back into the Maven app and will see a list of the AdvocateHubs they have access to.
4. Finally they click on the AdvocateHub they want to enter and voilá!