All Collections
Managing your account
Login to Content Workflow using SSO - SAML Single Sign-on
Login to Content Workflow using SSO - SAML Single Sign-on

Sign in to your Content Workflow account using your idP, such as Microsoft Azure or G Suite with SSO - SAML Single Sign On SSO

Bruno Wilson avatar
Written by Bruno Wilson
Updated over a week ago

The aim of this guide is to: 

1) Get admin users setup with single sign-on

2) Understand how SAML SSO will differ from normal authentication on an account

SAML SSO allows users to register and log in to a Content Workflow account using their IDP (e.g. Microsoft Azure, Google Suite)

When SAML SSO is enabled for an account, new users will be able to join the account simply by belonging to the organisation's IDP. 

This means users using SSO will no longer need to be manually invited to the account, unlike with regular passworded authentication. 

Content Workflow offers support for SP-initiated flow only with HTTP POST binding. You should configure HTTP POST bindings in the IDP metadata.

Content Workflow requires that the following attribute claims be sent when a user logs in:

Setup SSO within Content Workflow

  1. Go to Account Settings 

2. Click on the SSO tab  

If you are unable to see the SSO tab, the feature may not be available on your plan or may have been disabled for your account. Please contact customer support, in this case, who will be happy to help look into this for you.

3. Click Setup SSO

4. Copy the information in the following fields that appear, and input those into the IDP:

Field A) Service Provider ACS URL
Field B) Service Provider Identifier

Setup SSO within Microsoft Azure

To do this:

1) Add Content Workflow to your Azure AD organisation

This will create the application for you and allow you to set up the information on the next screen.

2) Configure your SSO 

To configure Single Sign-On to work with Content Workflow (non-gallery app) click here and follow the steps outlined in this guide.

3) Map Microsoft Azure to Content Workflow

Below is a list of Microsoft Azure Terms and their Content Workflow equivalent, to help you map the information into your application: 

Microsoft Azure Term, Content Workflow Term, Identifier (Entity ID), Service provider identifier, Reply URL, Not Required, Sign-on URL, Service provider ACS URL, Relay State, Not Required, Logout URL, Not Required

When setting up the claims outlined in step 2 of the Microsoft guide, you can click here to view screenshots of how they should look… 

Content Workflow uses 'email address' as the unique identifier. If a user's email address changes in their IDP, Content Workflow will create a new user when they next log in to the platform. 

For step 3 of the Microsoft guide, the certificate should be copied and pasted into the Content Workflow SSO page in the "Public Certificate" box: 

For step 4 of the Microsoft guide, the fields that should be copied into Content Workflow are Identity provider issuer:

Microsoft Azure field name, Content Workflow field name, Login URL, SAML 2.0 Endpoint (HTTP), Azure AD Identifier, Identity provider issuer 

The final two fields to be set are;

  • The login button

  • The default user role

Customise the login button text

This is the text that users will see on the login screen when logging into Content Workflow via SAML SSO. 

For example, you could change the login button text to Login with SAML SSO e.g… 

Default user role

This is the default role that is applied to new registrants when they register on Content Workflow via SAML SSO. Users can still be updated from inside the Content Workflow account via the People & Groups pages. 

Once all the fields are set, click Validate SAML settings

This will attempt to log your user in with the settings provided, by first redirecting you to your Microsoft Azure portal. If a successful login is detected, the user will be able to turn on SSO for the account, this will then;

  1. Require all users to log in with SAML SSO from this point forward

  2. Send an email to all existing users in the account, notifying them that SAML SSO has been enabled

  3. Allow users to register via their IDP to the account. 

Disabling SAML SSO

If an account has SAML SSO enabled, it can be disabled by visiting the Account Settings page and navigating to the SAML SSO tab. 

From here a 'Turn off SAML SSO' button will be visible. 

When SAML SSO is disabled for an account this will;

  1. Require all users who do not have a password to set a password

  2. Automatically send an email to all existing users, notifying them that SAML SSO has been disabled for the account 

  3. Log users out and require that they log in with their username and password

Did this answer your question?