Brand Integrity supports Secure Assertion Markup Language (SAML), which allows you to provide single sign-on (SSO) for the Brand Integrity Platform using enterprise identity providers such as Active Directory and LDAP.
Implementing single sign-on via SAML means that the log in process and user authentication are handled entirely outside Brand Integrity. Your users will not directly visit https://secure.brandintegrity.com. Instead users log in to your corporate system (authenticated by Active Directory or LDAP for example) and click a link to access the Brand Integrity Platform and are automatically logged in. No need to enter separate login credentials for Brand Integrity, although using a username and password login page in addition to SSO is available in certain circumstances.
You can build a SAML server in-house (using OpenAM, for example) or choose a SAML service such as Okta, OneLogin, or PingIdentity. You'll need to set these up yourself outside of Brand Integrity.
How SAML for Brand Integrity works
SAML for Brand Integrity works the way SAML does with all other service providers. The typical use case is that your users belong to a corporation and all user authentication is managed by your corporate authentication system (for example, Active Directory or LDAP), which is referred to generically as an identity provider (IdP). The service provider (SP), in this case of course Brand Integrity, establishes a trust relationship with IdP and allows that external IdP to authenticate users and then seamlessly log them in to Brand Integrity. In other words, a user logs in at work and then has automatic access to the many other corporate applications such as email, your CRM, and so on without having to login separately to those services. Aside from the convenience this provides to users, all user authentication is handled internally by a system that you have complete control over.
Returning visitors are automatically authenticated if their SAML assertions are cached. Assertions are packets of security information that are used to make access-control decisions.
Note: To access your Brand Integrity account from the phone or other mobile device outside your network that doesn't have access to your IdP, your users will also need a Brand Integrity username and password. Single sign-on will not work in these cases.
Configuring Brand Integrity for new users
In most use cases, clients pre-configure user profiles in Brand Integrity by regularly (daily or weekly) sending full list of user names and related attributes to Brand Integrity's secure FTP servers. A unique ID that is consistent with the unique ID used by the SAML assertion is required as part of this CSV data feed.
See the article on Creating the User Import CSV File for more information.
Configuring your SAML implementation
You have a number of options when considering a SAML service, including building a SAML server in-house (for example, OpenAM) or choosing a SAML service such as Okta, OneLogin, and PingIdentity.
To set up SAML with Brand Integrity, you'll need the following:
- A SAML server with provisioned users or connected to an identity repository such as Microsoft Active Directory or LDAP
- The Remote Login URL for your SAML server (sometimes called SAML Single Sign-on URL)
- The SHA1 fingerprint of the SAML certificate from your SAML server. X.509 certificates are supported and should be in PEM or DER format. There is no upper limit on the size of the SHA1 fingerprint.
Note: Brand Integrity only supports IDP-initiated SAML workflow. This means that if users were to manually enter in the website address, they would be treated as regular site users, and there will be no redirection to the Identity Provider.
See the SAML Configuration Details article for more information.