- What is SAML/Single Sign-On?
- How does enabling SSO affect how users log in?
- User management when using SSO
- Enable SAML on a ProntoForms Team
- Get Service Provider Metadata from ProntoForms
ProntoForms provides Security Assertion Markup Language (SAML) based Single Sign-On (SSO). This allows users to use their corporate credentials to log in -- they do not need to maintain separate ProntoForms login information. ProntoForms SSO can be used with a number of identity providers, including LastPass, OneLogin, and Active Directory.
Beyond ease of login, enabling SAML on a team provides extra security features. Organizations can easily manage all user credentials through a single identity provider. It is also possible to set a maximum session length for ProntoForms, so users are required to re-authenticate after a set period of inactivity.
Security Assertion Markup Language (SAML) is an XML standard that enables single sign-on (SSO). SAML performs authorization (what parts of the service a user is allowed to access?) and authentication (is a user allowed access to a service?) between an identity provider (IdP) and a service provider (SP).
- ProntoForms is a service provider.
- Lastpass, OneLogin, and similar services are identity providers.
With single sign-on, users that are authenticated on a commonly used IdP can log into sites like ProntoForms using their corporate credentials. With centralized identity providers, SAML can be used to manage user IDs, passwords and associated authentications.
ProntoForms supports SAML 2.0.
When enabled on a ProntoForms team, single sign-on can be used to log into the ProntoForms web portal, the iOS mobile app, and the Android mobile app.
When users try to sign into ProntoForms...
- They will be prompted to enter their ProntoForms username, email address, or team domain
- They will be redirected to their IdP
- Users log in to their IdP
- Users will be automatically logged in to ProntoForms
Users already authenticated on the IdP side are logged into ProntoForms without entering any credentials.
There are a things to consider when setting up ProntoForms users if SAML is enabled.
1. The user must exist with both ProntoForms and the IdP
A user account must exist on your team's accounts with both the service provider and the identity provider.
ProntoForms usernames and IdP usernames must match.
- The ProntoForms and IdP usernames could both be "johndoe".
- The ProntoForms username could be "firstname.lastname@example.org", and the IdP username could be "johndoe".
In the SAML configuration, a "username suffix" can be defined so that the ProntoForms and IdP usernames can be matched. In the second example above, the username suffix would be "@yourcompany.com".
3. ProntoForms User Passwords
When using SAML, it is not necessary to set up a password for each user in ProntoForms. However, teams are allowed to keep passwords for any number of users in ProntoForms as a backup.
Teams MUST have at leave one Pronto Admin user with a ProntoForms password as a fail-safe.
In the web portal:
- As a team admin, mouse over your name in the top right of the screen. Select Team Settings.
- Enter the Security Settings tab on the following page.
- Check the Enable SAML? box. If this box is not checked, your SAML configuration will not be used.
- Set up the team's SAML Configuration as detailed below.
This is the team domain that users can enter on the ProntoForms login page when using single sign-on. For example, <companyname>.
Username Suffix (optional)
Usernames of ProntoForms users on a SAML-enabled team must match the usernames on the team's IdP.
The "username suffix" can be entered if the ProntoForms usernames have additional characters (so they are unique in the ProntoForms system).
For example, if the ProntoForms username is "email@example.com", but the username when logging into the IdP provider is "johndoe", enter "@yourcompany.com" as the username suffix.
Identity provider metadata is how SAML authenticates usernames and logins. Choose one option for providing metadata.
If the IdP has provided a metadata file, then you can upload the file here.
If no metadata file is available, manually provide all required metadata after selecting Define metadata here.
- Entity ID: The entity ID is how the issuer is identified. For example: <https://www.companyname.com>
- Remote Login URL: This is where users will be redirected to log in.
- Remote Logout URL: This is where users will be redirected when they log out.
- X.509 certificate: The X.509 certificate validates the metadata. This will be provided by the IdP.
After authenticating to the ProntoForms web portal, users can stay logged in without activity for this amount of time before being forced to re-authenticate. Because web portal access entails access to more privileges and data, the maximum session length is 2 weeks.
Minimum Length: 15 minutes
Maximum Length: 2 weeks
After authenticating to the iOS or Android app, users can stay logged in without activity for this amount of time before being forced to re-authenticate.
Minimum Length: 15 minutes
Maximum Length: No expiry
In order to complete the SAML configuration on the IdP side, the IdP will require service provider metadata from ProntoForms.
- Enter Team Settings.
- Enter the Security Settings tab.
- Press the "Download Service Provide Metadata" button.
- Provide this file to the IdP where required.