Single Sign On (SSO)
  • 23 Feb 2022
  • 3 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Single Sign On (SSO)

  • Dark
    Light
  • PDF

Introduction

Preset offers a Single Sign On (SSO) experience that empowers organizations to add value to the new user experience while supporting role-based access. SSO enables companies to leverage their existing identity management system and allows employees to sign in to Preset using their company domain.

Security Assertion Markup Language (SAML) is the most popular SSO protocol that facilitates communication between Preset and your users.

Instructions for integrating SAML with Preset—along with how to get stared using SSO with Preset—are detailed below.


Integrate SAML

Preset supports full integration with Security Assertion Markup Language (SAML). In order to facilitate this integration:

  1. Create a SAML application in your IDP and include the following attributes :
    email 
    firstName
    lastName
    sessionDurationSecs
sessionDurationSecs

This parameter is optional to control sessions timeout. Default value is 24hs.
Max value is 604800 (number of seconds in 7 days).

If your IDP requires a Single Sign On URL and an Audience Restriction urn (SP Entity ID) to create an application, use below placeholder values:

  • Single Sign On URL: https://auth.app.preset.io/login/callback?connection=auth0_connection_name
  • Audience Restriction urn (SP Entity ID): urn:auth0:preset-io-prod:auth0_connection_name
  1. Send the following information to us by opening up a support ticket via the Preset Support Portal:
Admin Approval

The SSO integration needs to be approved by an admin of your Preset team. If you are not a Team Admin, share the support ticket with one so they can approve the implementation.

  • Sign-in URL
  • X509 Signing Certificate
  • Sign-out URL (optional)
  • Your company domain (for the SSO enforcement).
SSO enforcement

The SSO integration will be enforced to all accounts from your domain. This means that all users from your domain that use Preset need to be properly configured and assigned to the Preset application in your IDP.

  1. Preset will return registration information (permanent values for the Single Sign on URL and the Audience Restriction). Update your SAML settings with this additional information.

  2. After final setting, test connection.

Preset does just-in-time user creation (JIT Provisioning), meaning that the first time that a user connects via SSO, Preset will create a new user account. However, this user will not be linked to an existing Preset team. Instead, a new Team will be created. To provision new accounts into your existing Team, we recommend seting up a SCIM integration.

If users have already been created in a team before setting up the SSO integration, Preset will merge existing users with the SSO login. For a successful merge, the firstName and lastName needs to be mapped to the associated SSO connection attributes.


Logging On via SSO

  1. Start by browsing to the Preset log in page.

Preset_Login.png

  1. Enter your email address and click on Next.

  2. You will be redirected to your IDP to perform the authentication. Once the authentication is successfully finished, your IDP will send you back to Preset.

The Log in to Preset with SSO screen appears — just enter your e-mail address and select Log In to proceed.

First time connecting with SSO

The first time that a User is invited to connect to Preset using SSO, the User may have to accept the invitation ( by clicking invitation link ) twice.


Team Sign On Access

A user can be part of multiple teams. In order to control access to specific teams, you can allow workspace access to specific domains.

To do this, you just need to add a domain address. Here's how:

In the Preset Manager, navigate to a workspace and then select the gear icon.

Edit_Allowed_Domains_Select_Workspace_Settings

The Team Settings screen appears. Navigate to the Members & invites tab.

Edit_Allowed_Domains_Select_Members_Tab

...and, in the Invite panel, select Edit Allowed Domains.

Edit_Allowed_Domains_Select_Edit_Domains

The Edit Allowed Domains window appears.

In the Email Domain field, enter your domain address and then select Add.

Edit_Allowed_Domains_Enter_Domain

The domain name will appear in the list below — if needed, select Remove to remove a domain.

To finalize the process, select Save.

Edit_Allowed_Domains_Save_Allowed_Domain

Note:

If there is a team member that has an e-mail address that doesn’t belong to the assigned domain, then they will be automatically removed from the team.

If an invitation is sent to a domain that is not allowed, then a warning message will appear enabling the user to edit the list of allowable domains.

Please note that only a Team Administrator can add allowable domains.

Cannot_Send_Invite


Was this article helpful?