1) Get admin users setup with single sign-on

2) Understand how SAML SSO will differ from normal authentication on an account

SAML SSO allows users to register and log in to a Content Workflow account using their IDP (e.g. Microsoft Azure, Google Suite)

When SAML SSO is enabled for an account, new users will be able to join the account simply by belonging to the organisation's IDP. 

This means users using SSO will no longer need to be manually invited to the account, unlike with regular passworded authentication. 

Content Workflow offers support for SP-initiated flow only with HTTP POST binding. You should configure HTTP POST bindings in the IDP metadata.

Content Workflow requires that the following attribute claims be sent when a user logs in:

2. Click on the SSO tab  
​

If you are unable to see the SSO tab, the feature may not be available on your plan or may have been disabled for your account. Please contact customer support, in this case, who will be happy to help look into this for you.

3. Click Setup SSO

4. Copy the information in the following fields that appear, and input those into the IDP:

Field A) Service Provider ACS URL
​Field B) Service Provider Identifier

To do this:

1) Add Content Workflow to your Azure AD organisation

To add Content Workflow as a non-gallery app from within Microsoft Azure, please click here to view the setup instructions…

This will create the application for you and allow you to set up the information on the next screen.
​
​2) Configure your SSO 

To configure Single Sign-On to work with Content Workflow (non-gallery app) click here and follow the steps outlined in this guide.
​

3) Map Microsoft Azure to Content Workflow
​
Below is a list of Microsoft Azure Terms and their Content Workflow equivalent, to help you map the information into your application: 

Microsoft Azure Term, Content Workflow Term, Identifier (Entity ID), Service provider identifier, Reply URL, Not Required, Sign-on URL, Service provider ACS URL, Relay State, Not Required, Logout URL, Not Required

To view the steps to edit the basic SAML configurations click here… 

When setting up the claims outlined in step 2 of the Microsoft guide, you can click here to view screenshots of how they should look… 

Content Workflow uses 'email address' as the unique identifier. If a user's email address changes in their IDP, Content Workflow will create a new user when they next log in to the platform. 

For step 3 of the Microsoft guide, the certificate should be copied and pasted into the Content Workflow SSO page in the "Public Certificate" box: 

For step 4 of the Microsoft guide, the fields that should be copied into Content Workflow are Identity provider issuer:

Microsoft Azure field name, Content Workflow field name, Login URL, SAML 2.0 Endpoint (HTTP), Azure AD Identifier, Identity provider issuer 

The final two fields to be set are;

This is the text that users will see on the login screen when logging into Content Workflow via SAML SSO. 

For example, you could change the login button text to Login with SAML SSO e.g… 

This is the default role that is applied to new registrants when they register on Content Workflow via SAML SSO. Users can still be updated from inside the Content Workflow account via the People & Groups pages. 

Once all the fields are set, click Validate SAML settings. 

This will attempt to log your user in with the settings provided, by first redirecting you to your Microsoft Azure portal. If a successful login is detected, the user will be able to turn on SSO for the account, this will then;

If an account has SAML SSO enabled, it can be disabled by visiting the Account Settings page and navigating to the SAML SSO tab. 

From here a 'Turn off SAML SSO' button will be visible. 

When SAML SSO is disabled for an account this will;