Set Up Single Sign-On for ProntoForms Teams

 

About

ProntoForms provides Security Assertion Markup Language (SAML) based Single Sign-On (SSO).  This allows users to use their corporate credentials to log in -- they do not need to maintain separate ProntoForms login information. ProntoForms SSO can be used with a number of identity providers, including LastPass, OneLogin, and Active Directory.

Beyond ease of login, enabling SAML on a team provides extra security features.  Organizations can easily manage all user credentials through a single identity provider.  It is also possible to set a maximum session length for ProntoForms, so users are required to re-authenticate after a set period.

 

What is SAML/Single Sign-On?

Security Assertion Markup Language (SAML) is an XML standard that enables single sign-on (SSO).  SAML performs authorization (what parts of the service a user is allowed to access?) and authentication (is a user allowed access to a service?) between an identity provider (IdP) and a service provider (SP).

For example:

  • ProntoForms is a service provider. 
  • Lastpass, OneLogin, and similar services are identity providers.

With single sign-on, users that are authenticated on a commonly used IdP can log into sites like ProntoForms using their corporate credentials. With centralized identity providers, SAML can be used to manage user IDs, passwords and associated authentications.

ProntoForms supports SAML 2.0. 

 

How does enabling SSO affect how users log in?

When enabled on a ProntoForms team, single sign-on can be used to log into the ProntoForms web portal, the iOS mobile app, and the Android mobile app.

When users try to sign into ProntoForms...

  • They will be prompted to enter their ProntoForms username, email address, or team domain
  • They will be redirected to their IdP
  • Users log in to their IdP
  • Users will be automatically logged in to ProntoForms

Users already authenticated on the IdP side are logged into ProntoForms without entering any credentials.

See what it looks like to log in to ProntoForms using single sign-on.

 2015_04_01_11_26_34_Set_Up_Single_Sign_On_for_ProntoForms_Teams_ProntoForms_Support.png

 [ top ]

 

User Management when using SSO

There are a things to consider when setting up ProntoForms users if SAML is enabled.

1. The user must exist with both ProntoForms and the IdP

A user account must exist on your team's accounts with both the service provider and the identity provider.

 

2. Usernames

ProntoForms usernames and IdP usernames must match.  

  • The ProntoForms and IdP usernames could both be "johndoe".
  • The ProntoForms username could be "johndoe@yourcompany.com", and the IdP username could be "johndoe".

In the SAML configuration, a "username suffix" can be defined so that the ProntoForms and IdP usernames can be matched.  In the second example above, the username suffix would be "@yourcompany.com".    

 

3. ProntoForms User Passwords

When using SAML, it is not necessary to set up a password for each user in ProntoForms.   However, teams are allowed to keep passwords for any number of users in ProntoForms as a backup.

Teams MUST have at leave one Pronto Admin user with a ProntoForms password as a fail-safe.

[ top ]

 

Enable Single Sign-On for a ProntoForms Team

In the web portal:

  1. As a team admin, mouse over your name in the top right of the screen.  Select Team Settings.
    Team_Settings.png

  2. Enter the Security Settings tab on the following page.
    Security_Settings.png

  3. Check the Enable SAML? box.   If this box is not checked, your SAML configuration will not be used.
    Enable_SAML_Checkbox.png

  4. Set up the team's SAML Configuration as detailed below.

[ top ]

 

SAML Configuration

Team Domain

This is the team domain that users can enter on the ProntoForms login page when using single sign-on. For example, <companyname>.

Team_Domain.png

 

Username Suffix (optional)

Usernames of ProntoForms users on a SAML-enabled team must match the usernames on the team's IdP.  

The "username suffix" can be entered if the ProntoForms usernames have additional characters (so they are unique in the ProntoForms system).

For example, if the ProntoForms username is "johndoe@yourcompany.com", but the username when logging into the IdP provider is "johndoe",  enter "@yourcompany.com" as the username suffix. 

Username_Suffix.png

[ top ]

 

Identity Provider Metadata

Identity provider metadata is how SAML authenticates usernames and logins. Choose one option for providing metadata.

Upload Metadata File

If the IdP has provided a metadata file, then you can upload the file here.

Upload_Metadata_File.png

[ top ]

 

Define Metadata Here

If no metadata file is available, manually provide all required metadata after selecting Define metadata here

Definte_Metadata_Here.png

    • Entity ID:   The entity ID is how the issuer is identified.  For example: <https://www.companyname.com>
    • Remote Login URL: This is where users will be redirected to log in. 
    • Remote Logout URL:  This is where users will be redirected when they log out.
    • X.509 certificate: The X.509 certificate validates the metadata.  This will be provided by the IdP.x.509_Certificate_-_w_file.png

[ top ]

 

Session Length

Portal Session Length

After authenticating to the ProntoForms web portal, users can stay logged in without activity for this amount of time before being forced to re-authenticate. Because web portal access entails access to more privileges and data, the maximum session length is 2 weeks. 

Minimum Length: 15 minutes

Maximum Length: 2 weeks

 Portal_Session_Length.png

 

Device Session Length

After authenticating to the iOS or Android app, users can stay logged in without activity for this amount of time before being forced to re-authenticate. 

Minimum Length: 15 minutes

Maximum Length: No expiry

Device_Session_Length.png

[ top ]

  

Get Service Provider Metadata from ProntoForms

In order to complete the SAML configuration on the IdP side, the IdP will require service provider metadata from ProntoForms.

  1. Enter Team Settings.
  2. Enter the Security Settings tab.
  3. Press the "Download Service Provide Metadata" button.
    metadata.png

  4. Provide this file to the IdP where required.

[ top ]

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments