Single Sign-On Authentication (SSO) equips you with a more efficient login process with Socialbakers Suite, meaning that a single set of credentials can be used to log in from several different applications. This is especially useful in a corporate setting when you want your employees to be able to access a variety of applications, using their company credentials only.
Why is the integration with SSO Authentication a must for your organization?
- You will be able to use your company’s Identity Provider (IdP) to authorize your users into the Socialbakers Suite (which, according to the SSO terminology, acts as a Service Provider);
- You will be allowed to access Socialbakers Suite without being prompted to enter separate login credentials → No need to memorize a different set of credentials;
- It integrates with your employee’s list and allows you to manage their access in one place;
- Full control over the password strength of your employees and/or you can enforce two-factor authentication for login;
- SSO allows Sociabakers not to store passwords and it reduces any possible security breaches;
- Simple offboarding: removing a user ID will immediately cut the users’ access to Socialbakers Suite.
Compatibility
Socialbakers uses the XML-based Security Assertion Markup Language (SAML) protocol for SSO into Socialbakers Suite, meaning that the Socialbakers SSO Authenticator will work with all IdP’s supporting the SAML 2.0 protocol, including Okta, OneLogin, Google, Microsoft, Shibboleth and many others.
How to integrate Socialbakers SSO with your login provider
Go to Socialbakers Suite Account Settings → Integrations & API
In this menu, you’ll see the list of all our current integrations. In case the integration with SSO is not yet activated, press the Request button - your Account Manager will be automatically notified and will get in touch with you as soon as possible.
Once SSO is enabled for your account, the integration still needs to be set up!
At this point, it’s important that an IdP admin user manages the communication with our support team.
Socialbakers Suite will then be accessible on a custom domain (i.e.: https://<custom>.suite.socialbakers.com). Please communicate the proper subdomain name with our support team once asked, as there are some special characters that can’t be used such as !/(,-).
There are two set-up processes, depending on whether you’re a new or existing client:
- If you’re a new Socialbakers client, we can set up the integration from the very beginning, and all Socialbakers users will be SSO-based automatically.
- If you’re a current client and already have an account with existing users, configured reports, dashboards, etc. Then, we can set up a new account where the SSO integration can be tested (testing phase).
Testing Phase: The Testing phase is required so we can verify that everything functions smoothly before transitioning to SSO on your current account.
First, a new account is created for testing purposes. Then, we add a few testing users to validate if the SSO logins are working properly. How long the Testing phase will last, really depends on how long the user will take to verify the SSO logins.
To avoid any confusion accessing the test account, during this phase you will have two different accounts, as already mentioned. One for the SSO login and the second with your existing login to Socialbakers Suite account login.
a) For the SSO login, the URL will be: https://<custom>.suite.socialbakers.com/(…)
b) The original Socialbakers login URL is https://suite.socialbakers.com/(...)
To switch between accounts, you first need to log out and adjust the URL. Only then will you be able to log in. If you adjust the URL without disconnecting yourself first, you will still be redirected to the previous account login.
Once we confirm that everything works well, we then set up the SSO integration for your current account and migrate all the existing users to SSO, and the test account will be deleted.
Setting up Socialbakers SSO with different Login Providers
- Okta
Socialbakers is listed in Okta's Trusted App catalogue, so the integration is straightforward:
- Open Okta administration
- Click Add applications under Shortcuts, in the drop-down menu to the right
- Socialbakers has a preconfigured integration. Simply search for "Socialbakers" and click Add:
- Go to the Subdomain field and type the domain discussed with our support team. Click Done to finalize.
- On the Sign On tab, click View Setup Instructions
- A new screen will be displayed where you can review the supported features, as shown in the screen below. Then, contact Socialbakers support team, again, and attach the Metadata URL link generated by Okta:
- Socialbakers will enable the login for you and convert existing users or invite new users via SAML, according to the agreement.
- Onelogin
Socialbakers is listed in Onelogin’s Trusted App Catalogue, so the integration is straightforward:
- Open Onelogin administration
- Click Add Applications in the top menu
- Socialbakers has a preconfigured integration, so search for "Socialbakers" and click on it
- Enter your desired Display name - how the app will appear in your administration - and click Save
- Now move to the Configuration tab, type in the domain discussed with our support team, and click Save
- Now, move to the SSO tab and ensure the SAML Signature Algorithm is set to SHA-256. Save and click More Actions -> SAML Metadata. An XML file will be downloaded to your PC.
- Contact our support team and attach the downloaded XML
- Socialbakers will enable the login for you and convert existing users or invite new users via SAML, according to the agreement.
- Other Login Providers
There are many other login providers that should be compatible with Socialbakers SSO integration. The only requirement is that they use the SAML 2.0 protocol. The configuration options and attribute names vary from provider to provider, but basically, the setup should be:
If such fields are present in the SAML response, we properly configure and update the user each time it logs in. If missing, the user is visible only by his/her email address - which must be the nameID (unique) identifier of the user.
After you finish the configuration on your side, we need three details to proceed with the configuration from our end:
- The subdomain you prefer to run your Socialbakers Suite on.
- Service URL (sometimes called SSO Entrypoint)
- Public X.509 Certificate of the SSO integration to verify the incoming request is legitimate.
Our support team will guide you on the requirements from your end to complete the integration set up.
Users
Each user has to be defined by an Identifier (nameId), which must be the company email (email set on the IdP). It is crucial that all users have the right Identifier filled in Socialbakers Suite so they are recognized when attempting to log in via their SSO provider. Otherwise, access is denied.
If a user has its access permitted on the SSO IdP side, but doesn’t have the access set up in the Socialbakers Suite account, the verification/authentication will fail, and the following error page will be displayed:
- Adding a User
To add a new user, you simply need to invite him/her through Socialbakers Suite. Go to Users → Press Add User.
- Deprovisioning a User
Deprovisioning a user on the IdP side is immediate and will prevent the user from logging in to its Socialbakers Suite Account. However, the user will still be listed as a user in the Socialbakers Suite account until manually removed by a Suite admin.
- Login
The user can log in via https://<company>.account.socialbakers.com, who will then be redirected to the external SSO provider login page for authentication (e.g. https:/<companyname>.onelogin.com/login). If the user is set up properly in the SSO provider and Socialbakers Suite account, he/she will be redirected to the Socialbakers Suite account and will be able to log in successfully.
- Logout
Any user can log out by pressing the Log out button, as shown below:
Note that the user will not be logged out from their SSO, but from Socialbakers Suite only.