- What is SAML/Single Sign-On?
- How does enabling SSO affect how users log in?
- User management when using SSO
- Enable SSO on a ProntoForms Team
- SSO Configuration
- Identity Provider (IdP) Metadata
- Launching SSO directly from an Identity Provider
- Get Service Provider Metadata from ProntoForms
ProntoForms provides Security Assertion Markup Language (SAML) based Single Sign-On (SSO). This allows users to use their corporate credentials to log in -- they do not need to maintain separate ProntoForms login information. ProntoForms SSO can be used with a number of identity providers, including Okta, OneLogin, Azure Active Directory, and Active Directory Federation Services (ADFS).
Beyond ease of login, enabling SAML on a team provides extra security features. Organizations can easily manage all user credentials through a single identity provider. It is also possible to set a maximum session length for ProntoForms, so users are required to re-authenticate after a set period of inactivity.
Security Assertion Markup Language (SAML) is an XML standard that enables single sign-on (SSO). SAML performs authorization (what parts of the service a user is allowed to access?) and authentication (is a user allowed access to a service?) between an identity provider (IdP) and a service provider (SP).
- ProntoForms is a service provider.
- Active Directory, Okta, OneLogin, and similar services are identity providers.
With single sign-on, users that are authenticated on a commonly used IdP can log into sites like ProntoForms using their corporate credentials. With centralized identity providers, SAML can be used to manage user IDs, passwords and associated authentications.
ProntoForms supports SAML 2.0.
When enabled on a ProntoForms team, single sign-on can be used to log into the ProntoForms web portal, the iOS mobile app, and the Android mobile app.
When users try to sign into ProntoForms...
- They will be prompted to enter their ProntoForms username, email address, or team domain
- They will be redirected to their IdP
- Users log in to their IdP
- Users will be automatically logged in to ProntoForms
Users already authenticated on the IdP side are logged into ProntoForms without entering any credentials.
There are a things to consider when setting up ProntoForms users if SAML is enabled.
1. The user must exist within both ProntoForms and the IdP
A user account must exist on your team's accounts with both the service provider and the identity provider. ProntoForms user accounts cannot be created on the fly when users log in through your Identity Provider.
ProntoForms usernames and IdP usernames must match.
- The ProntoForms and IdP usernames could both be "johndoe".
- The ProntoForms username could be "firstname.lastname@example.org", and the IdP username could be "johndoe".
In the SSO configuration, a "username suffix" can be defined so that the ProntoForms and IdP usernames can be matched. In the second example above, the username suffix would be "@yourcompany.com".
3. Setting up a user to use Single Sign-On
Set up users as "Must use Corporate SSO" to ensure they can only log in with SSO, and to tailor their experience for this kind of login.
In the web portal:
- As a team admin, mouse over your name in the top right of the screen. Select Team Settings.
- Enter the Security Settings tab on the following page.
- Mouse over the Sign Sign-On header, and select Update.
- Set up the team's Single Sign-On settings as detailed below.
This is the team domain that users can enter on the ProntoForms login page when using single sign-on. For example, <companyname>.
Usernames of ProntoForms users on a SAML-enabled team must match the usernames on the team's IdP.
The "username suffix" can be entered if the ProntoForms usernames have additional characters (so they are unique in the ProntoForms system).
For example, if the ProntoForms username is "email@example.com", but the username when logging into the IdP provider is "johndoe", enter "@yourcompany.com" as the username suffix.
Enter the email address of the person who can help users log in if their corporate credentials are not working.
Remember that our technical support team is unable to help users who "Must use Corporate Single Sign-On" with logging in, as their login credentials are not actually in the ProntoForms system.
If we notice a user is having trouble logging in, in certain cases we will send the user an email with this email address in it, directing them to contact this person rather than our technical support team.
If you wish to launch Corporate Login directly from the Identity Provider (such as in a dashboard with a listing of Corporate Login-enabled apps), you may wish to use the following address when configuring the Identity Provider:
https://live.prontoforms.com/security/login/saml?domain=<SSO team domain>
Identity provider metadata is how SAML authenticates usernames and logins. Choose one option for providing metadata.
If the IdP has provided a metadata file, then you can upload the file here.
If no metadata file is available, manually provide all required metadata after selecting Define metadata here.
- Entity ID: The entity ID is how the issuer is identified. For example: <https://www.companyname.com>
- Remote Login URL: This is where users will be redirected to log in.
- Remote Logout URL: This is where users will be redirected when they log out.
- X.509 certificate: The X.509 certificate validates the metadata. This will be provided by the IdP.
In order to complete the SAML configuration on the IdP side, the IdP will require service provider metadata from ProntoForms.
- Enter Team Settings.
- Enter the Security Settings tab.
- Press the "Download Service Provider Metadata" button.
- Provide this file to the IdP where required.