Overview
This article provides a detailed guide on setting up SAML Single Sign-On (SSO) for users of PostBeyond, including obtaining a metadata file, providing necessary information to PostBeyond, and addressing potential issues with Microsoft Azure IDP. It also outlines the internal process completion by PostBeyond, testing procedures, and the creation of an SSO default group, with a completion timeline of up to three weeks.
Information
Learn the steps for setting up SAML SSO. After reviewing Understanding Single Sign-on (SSO) Through SAML and making the decision to move forward with implementing this login, it is time to set-up SAML SSO.
If you are using OKTA as the IdP, please see Setting up SAML SSO (OKTA IdP).
Steps to Set Up SAML
Step 1: Initiate SAML SSO Set-Up
Notify PostBeyond that you would like to proceed with the SAML SSO set-up to enable the feature.
Step 2: Obtain Metadata File from PostBeyond
Once the feature is activated, PostBeyond will provide a metadata file containing essential information for the IT team to verify the Service Provider (PostBeyond), including:
- Login URL
- EntityId
- Assertion Consumer Service endpoint
Step 3: Provide PostBeyond with Required Information
Please send the following items to PostBeyond:
- Metadata file
- Certificate (sometimes included in the metadata file)
- Attributes (user's First Name, Last Name, Email)
Attention to those using Microsoft Azure: A configuration in MS Azure IDP may prevent users on Internet Explorer from logging in via SSO. If your users might be impacted, consider the following solutions:
Option 1: PostBeyond can remove the RequestedAuthnContext from the SAML request, which relaxes the security protocol on PostBeyond's side while maintaining security from the IdP (Microsoft).
Option 2: PostBeyond can enforce a login with the IdP (Microsoft) every time users access PostBeyond, which maintains security but may affect the user experience.
We recommend consulting your IT team to determine the best course of action. Option 1 is suggested for a better user experience while remaining secure, but Option 2 may be necessary. Contact your CSM for further assistance and to decide how to proceed.
Step 4: PostBeyond Completes the Internal Process
PostBeyond will finalize the SAML SSO set-up and inform the customer of the expected completion date. This process can take up to 3 weeks as it needs to be scheduled into our development sprint.
Upon completion, the login page will offer an option for users to log in via SSO:
Step 5: Testing & Troubleshooting
Immediately after the set-up is complete, test the SSO login functionality. If you encounter any issues, refer to the testing and troubleshooting guide.
Step 6: Set Up SSO Default Group
After completing the set-up, create an SSO group for PostBeyond user accounts created through SSO login. For more information, visit Default Group for SSO Generated PostBeyond Accounts.
Helpful Resources
- Difference between PostBeyond OKTA application & Custom OKTA application
- OKTA PostBeyond Application Integration
- Overview & Understanding SSO Logins
FAQ
What is the first step in setting up SAML SSO with PostBeyond?
The first step is to notify PostBeyond that you would like to proceed with the SAML SSO set-up to enable the feature.
What should I do if I encounter issues with SSO login functionality?
If you encounter any issues, you should refer to the testing and troubleshooting guide provided by PostBeyond.
How long does it take for PostBeyond to complete the internal SAML SSO set-up process?
The internal SAML SSO set-up process can take up to 3 weeks as it needs to be scheduled into PostBeyond's development sprint.
What are the options if Microsoft Azure IDP is preventing users from logging in via SSO on Internet Explorer?
Option 1 is to have PostBeyond remove the RequestedAuthnContext from the SAML request, and Option 2 is to enforce a login with the IdP every time users access PostBeyond. Consult your IT team to determine the best course of action.
Who should I contact if I need further assistance during the SAML SSO set-up process with PostBeyond?
If you need further assistance, you can contact PostBeyond support at support@postbeyond.com.