Overview
This article provides a comprehensive guide on setting up Single Sign-On (SSO) using Security Assertion Markup Language (SAML), detailing the process of authentication with an Identity Provider (IDP) and the subsequent access to the PostBeyond service. It addresses common questions, outlines the types of SAML SSO configurations available, and offers integration guides for various applications, with support contact information for further assistance.
Information
Understanding Single Sign-on (SSO) Through SAML
Learn how to set up SAML SSO and troubleshoot potential issues. If you would like to have users sign in through the systems you already employ, you can do that by setting up SSO through SAML.
In this article, we will go over the following:
- Pros & Cons
- Commonly Asked Questions About PostBeyond Integration
- What is SAML SSO?
- How does it work?
- What are the different types of SAML SSO?
Pros:
- User does not have to remember multiple passwords as this leverages their existing work logins
- Can be connected with Active Directory (AD) so Administrator doesn’t have to worry if a user is terminated
Cons:
- Can take longer to set up if the IT team is not prepared ahead of time
- PostBeyond only accepts one IDP. If you have multiple IDPs, you will need to speak with your engineering team about merging them
Commonly Asked Questions
Do we support multiple IDPs?
No, we currently only support one IDP. If you have multiple IDPs within your organization, you will need to work with your IT to make the change before sending the IDP to PostBeyond.
Is the format case sensitive in your app, is below explicitly what you need?
If by the format you mean username, then no, both CASE@pb.com and case@pb.com would belong to the same user.
Is there any SCIM integration for de-provisioning users?
No.
Are we able to disable native/cloud login and require SAML authentication?
Yes, we can disable email logic and have only SAML SSO login.
Is there a sandbox/non-production environment of the application available to SSO?
Yes, we can set this up.
What federation protocols does the application support?
SAML 2.0
What is SAML SSO?
SAML SSO is the process of authenticating a user for a service provider via a third party decided upon by the customer.
Users will authenticate themselves via an identity provider service (IDP) chosen by the customer, who then confirms to the service provider that the person attempting to log in is indeed who they claim to be.
How does it work?
Users follow a series of steps to authenticate and gain access to their PostBeyond instance using Single Sign-On (SSO) with an Identity Provider (IDP).
-
Users visit their PostBeyond instance login page.
-
There, they click to be taken to the IDP (Identity Provider). We send information to the IDP notifying them where the user is sent from. This ensures that once a user has fulfilled the authentication requirements, they are redirected back to the service provider (PostBeyond).
-
Users are authenticated by the IDP using the methods they have set up for authentication.
-
Once their identity is confirmed, they are rerouted back to PostBeyond along with the appropriate SAML token confirming their identity validation request from the IDP, as well as any other necessary information about the user (name, email address). If the user is signing in for the first time using SSO, we check to see if the user exists (based on the email address sent). If not, we create a new user in the database and add them to the instance.
What are the different types of SAML SSO?
There are several types of Security Assertion Markup Language (SAML) Single Sign-On (SSO) configurations that cater to different administrative needs. Understanding these types can help in selecting the most appropriate SSO solution for an organization.
Manual Group Management
Manual Group Management requires administrators to manually assign users to groups after their initial sign-on.
Groups Set-Up One Time Before Customer Launch
This approach involves bulk uploading a list of users with their respective groups before the customer launch. Any subsequent regrouping or addition of new users must be managed manually.
SAML Auto-Sync
SAML Auto-Sync is designed to automatically synchronize groups according to the customer's directory. However, this feature is not yet completed by PostBeyond.
Master SSO
Master SSO is a solution for enterprise customers who operate multiple instances and require a unified SSO experience across their platforms.
SLO (Single Log-Out)
Single Log-Out (SLO) is a feature that, when activated, forces users to log out from all applications that are authenticated through the same SSO session.
After reviewing "Understanding Single Sign-on (SSO) Through SAML" and deciding to implement this login method, the next step is to set up SAML SSO for your organization.
Integration Guides
Below are the guides for integrating various applications with our platform:
- OKTA PostBeyond Application Integration
- Custom OKTA Application (SAML SSO with OKTA IdP)
- Setting up SAML SSO (all IdPs but OKTA)
FAQ
Can PostBeyond support multiple Identity Providers (IDPs) for SSO?
No, PostBeyond currently only supports one IDP. Organizations with multiple IDPs need to consolidate to a single IDP before integrating with PostBeyond.
Is the username format case sensitive when logging in through SSO in PostBeyond?
No, the username format is not case sensitive; both uppercase and lowercase emails are recognized as the same user.
Does PostBeyond offer SCIM integration for de-provisioning users?
No, PostBeyond does not currently offer SCIM integration for de-provisioning users.
Is it possible to disable native/cloud login and enforce SAML authentication exclusively in PostBeyond?
Yes, PostBeyond can disable email login and require only SAML SSO authentication.
Does PostBeyond provide a sandbox or non-production environment for testing SSO?
Yes, PostBeyond can set up a sandbox or non-production environment for SSO testing purposes.