In this article, we will review how you can set up SSO Authentication (SAML 2.0) into your Consensus Account and associated settings for your Users.
If SSO is enabled within your Account, you can find your SSO settings under the Integrations in the lower left-hand corner
Within the Integration page you can find the SSO tab above. This is where you can set up your SSO Authentication and determine how you want your Users to Authenticate. Below we will walk through the different elements of setting up your SSO and the controls you can add to your Users:
Setting Up SSO
Consensus Account SSO Information
Your Account 'Entity ID', 'Metadata URL' and 'Log On URL' are created for your specific Account and can be easily copied to your clipboard by selecting the orange Copy button. This info can be used to create the needed Metadata information from your SSO tool which will be used for us to authenticate your Users. *Note: when copying Consensus Log On URL you will need to change the path in URL from /initiate to /signin. Correct URL format: https://app.goconsensus.com/sso/auth/signin/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
Adding your SSO Metadata
Once you have generated the Metadata from within your SSO tool, you can add this either by uploading your Metadata file or via IDP Metadata URL.
- If you are using a file, Click on Upload Metadata and select 'From Computer'
- If you are using a URL, select From Url and then add the URL within the field below
-
- If you update your Metadata URL, make sure to click to the Refresh button to ensure we have the correct URL saved for your Account within our database.
- If you update your Metadata URL, make sure to click to the Refresh button to ensure we have the correct URL saved for your Account within our database.
-
SSO Settings
By default, after setting up SSO for your Account your Users will still be able to login to Consensus directly by navigating to the Consensus Sign In page and using their Consensus Credentials. If you want to force Users to login via your SSO portal you can do this by turning ON the 'Disable Direct Login' setting.
Once set to ON, you will have the ability to set a login message that will show when Users try to login directly through the Consensus Sign In page.
- NOTE* This message will also show within the Welcome email for New Users you add to your Consensus Account once Direct Login is disabled
Strict SSO Type
Within your SSO settings, you can also determine levels of Strict SSO Type. This can be set by either All Users or By Email Domain.
- Strict SSO - All Users
- When turning ON Disable Direct Login, Strict SSO for All Users is set by default. This means that All Users within your Account will need to login via your SSO portal and will see the SSO message if they try to login directly.
- Strict SSO - By Email Domains
- This setting allows you to determine which Email Domains are required to login via SSO. Any User with a different Email Domain will be able to login directly.
-
-
- This is fairly common for Accounts that are using the Partners (resellers) and have Reseller Groups with users that are not a part of their own Organization. In this Use Case, Reseller Users with a different Email Domain can still login directly while Internal Users will need to login via SSO.
- You can add as many Email Domains as needed to restrict Users based on their Email Domain. If your Organization has different Email Domains that are used by your Consensus Account Users, you can input the different Email Domains needed
- NOTE* You can use an asterisk symbol (*) to automatically support multi-level email domains. This is done by adding a Email Domain using an asterisk before (or after) the dot symbol.
-
- If you have 3rd level domains emails in your organization – use *.email.com
- If you have 4th level domains – use *.*.email.com
- Etc.
-
- NOTE* You can use an asterisk symbol (*) to automatically support multi-level email domains. This is done by adding a Email Domain using an asterisk before (or after) the dot symbol.
-
That's it! Once you have your SSO settings set the way you want, make sure to click 'Save' at the bottom of the page.
The User Experience
Depending on your SSO Setup, Users will be able to login to their Consensus Account through your SSO Tool or through the SSO Login feature within the Consensus Login Page:
By clicking 'Login via SSO' Users will be taken to an SSO authentication page where the will add their Consensus User Email. The User will then be taken to your SSO Tool where they can authenticate through into the Consensus platform.
This makes it incredibly simple and safe to access their Consensus Account while give you the control over how your Users can access Consensus.