Integrating single sign-on
This section describes how to integrate Brightspot with single sign-on servers.
As a best practice, ensure users have email addresses as their usernames. You can then configure different authenticators for different email domains. For example, logins from users with an email address in the brightspot.com domain are routed to the Google Cloud Service authenticator, and logins from users with an email address in any domain outside of brightspot.com are routed to an Okta authenticator.
To integrate single sign-on:
- Click > Admin > Sites & Settings > Sites > Global
- Ensure you are on the Main tab.
- Under Authenticators, do the following:
- Click and select one of the available SAML authenticators.
- Using the tables in the following sections as a reference, update the fields as needed.
- Click Save.
Default Tool Authenticator
Brightspot's default tool authenticator provides the standard username/password challenge. Using the following table as a reference, complete the fields as needed.
| Field | Description |
| Valid Domains | Enter login email domains that are routed to this authenticator. For example, if you enter brightspot.com, login requests from emails in the brightspot.com domain (such as [email protected]) are routed to this authenticator. |
Google Tool Authenticator
The Google Tool Authenticator uses Google Identity as the identify provider. For more information about this service, see Authentication methods at Google.
Using the following table as a reference, complete the fields as needed.
Using the following table as a reference, complete the fields as needed.
| Field | Description |
| Valid Domains | Enter login email domains that are routed to this authenticator. For example, if you enter brightspot.com, login requests from emails in the brightspot.com domain (such as [email protected]) are routed to this authenticator.Users attempting to log in using an email domain that is not specified in this or any other SAML authenticator are routed to the default authenticator (a standard username/password challenge). |
| Client ID | Enter your Google authenticator ID in the form YOUR_CLIENT_ID.apps.googleusercontent.com. |
| Allowed Hosted Domains | Enter email domains that are allowed to pass this authenticator. For example, if you enter brightspot.com in this field, then login attempts using emails in brightspot.com are allowed. Login attempts from other email domains fail. |
Preset SAML Tool Authenticator
This authenticator uses an identity provider configured on your Brightspot server. Using the following table as a reference, complete the fields as needed.
| Field | Description |
| Valid Domains | Enter login email domains that are routed to this authenticator. For example, if you enter brightspot.com, login requests from emails in the brightspot.com domain (such as [email protected]) are routed to this authenticator.Users attempting to log in using an email domain that is not specified in this or any other SAML authenticator are routed to the default authenticator (a standard username/password challenge). |
| Providers | Select one of the available identity providers. Click View Service Provider Metadata to display the metadata that you must add to the selected identity provider's configuration.  Displaying SAML service provider metadata
|
Self Service SAML Tool Authenticator
Use this authenticator to integrate a customized SSO server. For detailed information about this configuration, see Configuring a self-service SAML authenticator.
Previous Topic
Associating SSO groups with Brightspot roles
Next Topic
Configuring a self-service SAML authenticator