The aim of this guide is to:
1) Get admin users setup with single sign on
2) Understand how SAML SSO will differ from normal authentication on an account
- Setup SSO within GatherContent
- Setup SSO within Microsoft Azure
- Customise the login button text
- Default user role
- Disabling SAML SSO
SAML SSO allows users to register and log-in to a GatherContent account using their idP (e.g. Microsoft Azure, Google Suite)
When SAML SSO is enabled for an account, new users will be able to join the account simply by belonging to the organisation's idP.
This means users using SSO will no longer need to be manually invited to the account, unlike with regular passworded authentication.
Setup SSO within GatherContent
1. Go to Account Settings
2. Click on the SSO tab - If you are unable to see the SSO tab, the feature may not be available on your plan or has been disabled for your account. Please contact customer support.
3. Click Setup SSO
4. Copy the information in the following fields that appear, and input those into the idP:
- Service Provider ACS URL
- Service Provider Identifier
Setup SSO within Microsoft Azure
To do this:
1) Add GatherContent to your Azure AD organisation
To add GatherContent as a non-gallery app from within Microsoft Azure, please click here to view the setup instructions…
This will create the application for you and allow you to setup the information on the next screen.
2) Configure your SSO
To configure Single Sign On to work with GatherContent (non gallery app) click here and follow the steps outlined in this guide.
3) Map Microsoft Azure to GatherContent
Below is a list of Microsoft Azure Terms and their GatherContent equivalent, to help you map the information into your application:
Microsoft Azure Term, GatherContent Term, Identifier (Entity ID), Service provider identifier, Reply URL, Not Required, Sign-on URL, Service provider ACS URL, Relay State, Not Required, Logout URL, Not Required
To view the steps to edit the basic SAML configurations click here…
When setting up the claims outlined in step 2 of the Microsoft guide, you can click here to view screenshots of how they should look…
GatherContent uses 'email address' as the unique identifier. If a user's email address changes in their idP, GatherContent will create a new user when they next login to the platform.
For step 3 of the Microsoft guide, the certificate should be copied and pasted into the GatherContent SSO page in the "Public Certificate" box:
For step 4 of the Microsoft guide, the fields that should be copied into GatherContent are Identity provider issuer:
Microsoft Azure field name, GatherContent field name, Login URL, SAML 2.0 Endpoint (HTTP), Azure AD Identifier, Identity provider issuer
The final two fields to be set are:
Login button text
This is the text that users will see on the login screen when logging into GatherContent via SAML SSO.
For example, this could be changed to: Login with Microsoft Azure
Default user role
This is the default role that is applied to new registrants when they register on GatherContent via SAML SSO. Users can still be updated from inside the GatherContent account via the People & Groups pages.
Once all the fields are set, click Validate SAML settings.
This will attempt to log your user in with the settings provided, by first redirecting you to your Microsoft Azure portal. If a successful login is detected, the user will be able to turn on SSO for the account, this will then;
- Require all users to login with SAML SSO from this point forward
- Send an email to all existing users in the account, notifying them that SAML SSO has been enabled
- Allow users to register via their idP to the account.
Disabling SAML SSO
If an account has SAML SSO enabled, it can be disabled by visiting the Account Settings page and navigating to the SAML SSO tab.
From here a 'Turn off SAML SSO' button will be visible.
When SAML SSO is disabled for an account this will;
- Require all users who do not have a password to set a password
- Automatically send an email to all existing users, notifying them that SAML SSO has been disabled for the account
- Log users out and require that they log in with their username and password