Topics

Single sign-on and SAML


In This Guide

Enterprise publishers often deploy multiple applications, such as finance, personnel, and email, in addition to Brightspot. One way to reduce the burden of remembering usernames and passwords for each application is to use single sign-on (SSO): editors log in to an SSO, and that login gives them access to the applications they need. Brightspot uses Security Assertion Markup Language (SAML) as the messaging platform with the SSO server.


Activating single sign-on

This section describes how to activate single sign-on for Brightspot.

To activate single sign-on:

  1. Click menu > Admin > Sites & Settings
  2. In the Sites widget, select Global. The Edit Global widget appears.
  3. Under CMS, expand Security.
  4. Under Authenticators, click add_circle_outline. A form appears.
  5. From the Providers list, select one of the available SAML authenticators.
  6. Click Save.

Associating SSO groups with Brightspot roles

In most scenarios, single sign-on servers associate users with groups. Similarly, most publishers associate Brightspot editors with roles. As a best practice, you should associate the SSO groups with the corresponding Brightspot roles. This practice ensures that when an editor successfully logs in through single sign-on, Brightspot associates the editor with the correct role.

Caution
If a group on the SSO server is not associated with a Brightspot role, all users associated with that group are denied login to Brightspot (even if they pass authentication on the SSO server). Ensure all groups on the SSO server are appropriately associated with Brightspot roles.
Warning
If you do not configure any group-role associations, then any editor passing SSO authentication is granted login to Brightspot with no role, which may be the administrator role. Ensure you configure at least one group-role association.

To associate SSO groups with Brightspot roles:

  1. Click menu > Admin > Sites & Settings.
  2. Under Legacy Settings, click Saml. The Edit Saml widget appears.
  3. Under Groups to Roles, do the following:

    1. Click add_circle_outline. A form appears.
      Associating SSO groups with Brightspot roles
    2. In the Group field, enter a group existing on the SSO server.
    3. In the Role field, select an existing Brightspot role.
    4. Repeat steps a–c to associate additional groups to roles.
  4. Click Save.

Referring to the previous illustration, an editor signing on through SSO and has the group ssoBrightspotEditors receives all the permissions in Brightspot associated with the role Editors.


Reviewing SSO logins

If your version of Brightspot is part of a single sign-on environment, you can enable or disable an editor’s ability to log in to Brightspot over SSO.

To review SSO logins:

  1. Click menu > Admin > Users & Roles.
  2. In the Users widget, select the user whose SSO login you want to review.
  3. Under SAML, and using the following table as a reference, review the login.

The following table describes the SSO fields you can review.

FieldDescription
Saml UsernameEditor’s email address as assigned on the authentication server. Brightspot uses this address as the editor’s username.
Saml InstanceSAML configuration used to authenticate the editor.
Effective RoleEditor’s role as assigned on the authentication server. Brightspot assigns the editor to this role.
Saml Disable LoginIndicates if the editor is allowed to log in using SSO. If toggled on, the editor cannot log in to Brightspot.

Enabling or disabling SSO logins

If your version of Brightspot is part of a single sign-on environment, you can enable or disable an editor’s ability to log in to Brightspot over SSO.

To enable or disable SSO logins:

  1. Click menu > Admin > Users & Roles.
  2. In the Users widget, select the user whose login you want to enable or disable.
  3. Under SAML, toggle on or off Saml Disable Login.
  4. Click Save.