Support and Documentation

Single sign-on and SAML

Enterprise publishers often deploy multiple applications, such as finance, personnel, and email, in addition to Brightspot. One way to reduce the burden of remembering usernames and passwords for each application is to use single sign-on (SSO): editors log in to an SSO, and that login gives them access to the applications they need. Brightspot uses Security Assertion Markup Language (SAML) as the messaging platform with the SSO server.

Activating single sign on

This section describes how to activate single sign-on for Brightspot.

Procedure. To activate single sign-on:
  1. From the Navigation Menu, expand Admin, and select Sites & Settings.

  2. In the Sites widget, select Global. The Edit Global widget appears.

  3. Under CMS, expand Security.

  4. Under Authenticators, click |mi-add_circle_outline|. A form appears.

  5. From the Providers list, select one of the available SAML authenticators. (If no SAML authenticators are in the list, you may need to configure them as described in Configuring Brightspot for SAML or Deploying SAML.)

  6. Click Save.

Associating SSO groups with Brightspot roles

In most scenarios, single sign-on servers associate users with groups. Similarly, most publishers associate Brightspot editors with roles. As a best practice, you should associate the SSO groups with the corresponding Brightspot roles. This practice ensures that when an editor successfully logs in through single sign-on, Brightspot associates the editor with the correct role.

Caution

If a group on the SSO server is not associated with a Brightspot role, all users associated with that group are denied login to Brightspot (even if they pass authentication on the SSO server). Ensure all groups on the SSO server are appropriately associated with Brightspot roles.

Warning

If you do not configure any group-role associations, then any editor passing SSO authentication is granted login to Brightspot with no role, which may be the administrator role. Ensure you configure at least one group-role association.

Procedure. To associate SSO groups with Brightspot roles:
  1. From the Navigation Menu, expand Admin, and select Sites & Settings.

  2. Under Legacy Settings, click Saml. The Edit Saml widget appears.

  3. Under Groups to Roles, do the following:

    1. Click |mi-add_circle_outline|. A form appears.

      Associating SSO groups with Brightspot roles
      Figure 123. Associating SSO groups with Brightspot roles


    2. In the Group field, enter a group existing on the SSO server.

    3. In the Role field, select an existing Brightspot role.

    4. Repeat steps a–c to associate additional groups to roles.

  4. Click Save.

Referring to the illustration Associating SSO groups with Brightspot roles, an editor signing on through SSO and has the group ssoBrightspotEditors receives all the permissions in Brightspot associated with the role Editors.

Enabling or disabling SSO logins

If your version of Brightspot is part of a single sign-on environment, you can enable or disable an editor's ability to log in to Brightspot over SSO.

Procedure. To enable or disable SSO logins:
  1. From the Navigation Menu, expand Admin, and select Users & Roles..

  2. In the Users widget, select the user whose login you want to enable or disable.

  3. Under SAML, toggle on or off Saml Disable Login.

  4. Click Save.

Reviewing SSO logins

If your version of Brightspot is part of a single sign-on environment, you can review an editor's SSO information received from the authentication server.

Procedure. To review an editor's SSO login:
  1. From the Navigation Menu, expand Admin, and select Users & Roles..

  2. In the Users widget, select the user whose SSO login you want to review.

  3. Under SAML, and using the following table as a reference, review the login.

The following table describes the SSO fields you can review.

Field

Description

Saml Username

Editor's email address as assigned on the authentication server. Brightspot uses this address as the editor's username.

Saml Instance

SAML configuration used to authenticate the editor.

Effective Role

Editor's role as assigned on the authentication server. Brightspot assigns the editor to this role.

Saml Disable Login

Indicates if the editor is allowed to log in using SSO. If toggled on, the editor cannot log in to Brightspot.