The aim of this guide is to:
1) Get admin users setup with single sign-on
2) Understand how SAML SSO will differ from normal authentication on an account
SAML SSO allows users to register and log in to a Content Workflow account using their IDP (e.g. Microsoft Azure, Google Suite)
When SAML SSO is enabled for an account, new users will be able to join the account simply by belonging to the organisation's IDP.
This means users using SSO will no longer need to be manually invited to the account, unlike with regular passworded authentication.
Content Workflow offers support for SP-initiated flow only with HTTP POST binding. You should configure HTTP POST bindings in the IDP metadata.
Content Workflow requires that the following attribute claims be sent when a user logs in:
Setup SSO within Content Workflow
Go to Account Settings
2. Click on the SSO tab
If you are unable to see the SSO tab, the feature may not be available on your plan or may have been disabled for your account. Please contact customer support, in this case, who will be happy to help look into this for you.
3. Click Setup SSO
4. Copy the information in the following fields that appear, and input those into the IDP:
Field A) Service Provider ACS URL
Field B) Service Provider Identifier
Setup SSO within Microsoft Azure
To do this:
1) Add Content Workflow to your Azure AD organisation
To add Content Workflow as a non-gallery app from within Microsoft Azure, please click here to view the setup instructions…
This will create the application for you and allow you to set up the information on the next screen.
2) Configure your SSO
To configure Single Sign-On to work with Content Workflow (non-gallery app) click here and follow the steps outlined in this guide.
3) Map Microsoft Azure to Content Workflow
Below is a list of Microsoft Azure Terms and their Content Workflow equivalent, to help you map the information into your application:
Microsoft Azure Term, Content Workflow Term, Identifier (Entity ID), Service provider identifier, Reply URL, Not Required, Sign-on URL, Service provider ACS URL, Relay State, Not Required, Logout URL, Not Required
To view the steps to edit the basic SAML configurations click here…
When setting up the claims outlined in step 2 of the Microsoft guide, you can click here to view screenshots of how they should look…
Content Workflow uses 'email address' as the unique identifier. If a user's email address changes in their IDP, Content Workflow will create a new user when they next log in to the platform.
For step 3 of the Microsoft guide, the certificate should be copied and pasted into the Content Workflow SSO page in the "Public Certificate" box:
For step 4 of the Microsoft guide, the fields that should be copied into Content Workflow are Identity provider issuer:
Microsoft Azure field name, Content Workflow field name, Login URL, SAML 2.0 Endpoint (HTTP), Azure AD Identifier, Identity provider issuer
The final two fields to be set are;
The login button
The default user role
Customise the login button text
This is the text that users will see on the login screen when logging into Content Workflow via SAML SSO.
For example, you could change the login button text to Login with SAML SSO e.g…
Default user role
This is the default role that is applied to new registrants when they register on Content Workflow via SAML SSO. Users can still be updated from inside the Content Workflow account via the People & Groups pages.
Once all the fields are set, click Validate SAML settings.
This will attempt to log your user in with the settings provided, by first redirecting you to your Microsoft Azure portal. If a successful login is detected, the user will be able to turn on SSO for the account, this will then;
Require all users to log in with SAML SSO from this point forward
Send an email to all existing users in the account, notifying them that SAML SSO has been enabled
Allow users to register via their IDP to the account.
Disabling SAML SSO
If an account has SAML SSO enabled, it can be disabled by visiting the Account Settings page and navigating to the SAML SSO tab.
From here a 'Turn off SAML SSO' button will be visible.
When SAML SSO is disabled for an account this will;
Require all users who do not have a password to set a password
Automatically send an email to all existing users, notifying them that SAML SSO has been disabled for the account
Log users out and require that they log in with their username and password