(Please note that older articles might not render correctly in mobile view.)
- What is Corporate Login/Single Sign-On?
- How does enabling SSO affect how users log in?
- User management when using SSO
- Enable SSO on a ProntoForms Team
- SSO Configuration
- Identity Provider (IdP) Metadata
- Launching SSO directly from an Identity Provider
- Get Service Provider Metadata from ProntoForms
ProntoForms provides Security Assertion Markup Language (SAML) based Corporate Login/Single Sign-On (SSO). This allows users to use their corporate credentials to log in -- they do not need to maintain separate ProntoForms login information. ProntoForms Corporate Login can be used with a number of identity providers, including Okta, OneLogin, Azure Active Directory, and Active Directory Federation Services (ADFS).
Beyond ease of login, enabling Single Sign-On on a team provides extra security features. Organizations can easily manage all user credentials through a single identity provider. It is also possible to set a maximum session length for ProntoForms, so users are required to re-authenticate after a set period of inactivity.
Security Assertion Markup Language (SAML) is an XML standard that enables single sign-on (SSO). SAML performs authorization (what parts of the service a user is allowed to access?) and authentication (is a user allowed access to a service?) between an identity provider (IdP) and a service provider (SP).
- ProntoForms is a service provider.
- Active Directory, Okta, OneLogin, and similar services are identity providers.
With single sign-on, users that are authenticated on a commonly used IdP can log into sites like ProntoForms using their corporate credentials. With centralized identity providers, SSO can be used to manage user IDs, passwords and associated authentications.
ProntoForms supports SAML 2.0.
When enabled on a ProntoForms team, single sign-on can be used to log into the ProntoForms web portal, the iOS mobile app, and the Android mobile app.
When users try to sign into ProntoForms...
- They will be prompted to enter their ProntoForms username, email address, or team domain
- They will be redirected to their IdP
- Users log in to their IdP
- Users will be automatically logged in to ProntoForms
Users already authenticated on the IdP side are logged into ProntoForms without entering any credentials.
In the web portal:
- As a team admin, mouse over your name in the top right of the screen. Select Team Settings.
- Enter the Security Settings tab on the following page.
- Mouse over the Sign Sign-On header, and select Update.
- Set up the team's Single Sign-On settings as detailed below.
This is the team domain that users can enter on the ProntoForms login page when using single sign-on. For example, <companyname>.
Usernames of ProntoForms users on a SSO-enabled team must match the usernames on the team's IdP.
The "username suffix" can be entered if the ProntoForms usernames have additional characters (so they are unique in the ProntoForms system).
For example, if the ProntoForms username is "firstname.lastname@example.org", but the username when logging into the IdP provider is "johndoe", enter "@yourcompany.com" as the username suffix.
Enter the email address of the person who can help users log in if their corporate credentials are not working.
Remember that our technical support team is unable to help users who "Must use Corporate Single Sign-On" with logging in, as their login credentials are not actually in the ProntoForms system.
If our system detects that a user is having trouble logging in (trying to reset their password, mutliple failed login attempts) we will send the user an email reminding them to use their corporate credentials, and directing them to contact this Problem Contact person if they need assistance with those credentials.
When your users who use Corporate Login contact ProntoForms Support for help with their credentials, our Support team will redirect users to this email address as well.
If you wish to launch Corporate Login directly from the Identity Provider (such as in a dashboard with a listing of Corporate Login-enabled apps), you may wish to use the following address when configuring the Identity Provider:
https://live.prontoforms.com/security/login/saml?domain=<SSO team domain>
Identity provider metadata is how SAML authenticates usernames and logins. Choose one option for providing metadata.
If the IdP has provided a metadata file, then you can upload the file here.
If no metadata file is available, manually provide all required metadata after selecting Define metadata here.
- Entity ID: The entity ID is how the issuer is identified. For example: <https://www.companyname.com>
- Remote Login URL: This is where users will be redirected to log in.
- Remote Logout URL: This is where users will be redirected when they log out.
- X.509 certificate: The X.509 certificate validates the metadata. This will be provided by the IdP.
In order to complete the SAML configuration on the IdP side, the IdP will require service provider metadata from ProntoForms.
- Enter Team Settings.
- Enter the Security Settings tab.
- Press the "Download Service Provider Metadata" button.
- Provide this file to the IdP where required.