All Collections
Story Map Classic
Security
SAML based SSO authentication
SAML based SSO authentication
Agnes Burkus avatar
Written by Agnes Burkus
Updated over a week ago

Contents:

Protect your corporate intellectual property with SAML based SSO authentication

We have two features which enable you to tighten up security in StoriesOnBoard.
We're offering Domain Control which allows you to bring your corporate domains to StoriesOnBoard and setup authentication rules for all existing and future StoriesOnBoard users of your domains. You may require users to use your existing corporate SAML 2.0 based Single Sign On authentication method or simply define and enforce stricter password policies.
We're also offering extended workspace security settings with email domain based access control and IP address white lists. We provide access logs and activity logs to help you monitor work on your corporate workspace.

Company controlled authentication

Domain Control helps you manage user authentication for all StoriesOnBoard users having accounts with @yourcompany.com email addresses.

Setting up Domain Control

There are three steps to take in order to gain these administrative privileges over your domain. Go to the Domain Control dashboard which you can access from the Advanced tab found on your Profile and initiate the process by claiming your domain name. 

Step 1: Claim your domain

By claiming your domain you initiate a verification process for a specific domain name. Tell us your domain name and the company's name and select a method for the ownership verification. We support two ways. 

  • You either create a text file and upload it directly under your domain which we can check,

  • or create a TXT record in your domain's DNS settings which prove you have administrator rights to that domain.

Step 2: Verify your domain

As mentioned before we currently support two ways of verification. Click on the Verify button on your Domain Control dashboard and you'll find a short step-by-step instruction for your selected ownership verification method. We don't have a time limit for these steps since you might need to forward the instructions to someone at your IT department to complete the process.

Step 3: Our approval

Our manual overseeing and approval is the last step in the process. We'll notify you once you become the administrator of the domain and we'll also notify our existing users that the control over their accounts is now in your hands.

Configuring Domain Control

After a successful ownership verification process, you may setup authentication rules for your domain by clicking on the Configure button.

General settings

The settings on this tab allow you to setup a password policy for your users. 

By enabling “Enforce password policy” you may set the requirements user passwords need to meet. You can configure the minimal length and the number of different characters and digits.

You may also require users to choose different passwords from their previous ones or require them to update their passwords regularly.

You might want to click “Force all users of this domain to change their passwords on the next login” to make sure all user passwords get updated at the next login.

SSO Settings 

The Single Sign On settings allow you to integrate your corporate authentication methods into StoriesOnBoard. With the help of this feature users of your domain no longer need to log in to StoriesOnBoard on our site but use your Corporate Identity Provider's interface for that. This way you can transfer authentication and access related tasks from StoriesOnBoard completely under the control of your company. We support SAML 2.0 protocol based SSO providers.

By ticking the Enable SAML 2.0 Single Sign On checkbox you turn on the SSO authentication option for your domain. With enabled SSO a 'Corporate login' button appears on the login screen every time a user tries to log in with an e-mail address that belongs to your controlled domain. If you configure the Single Sign On to be optional the users will be able to choose between the corporate login option or they can continue signing in the standard way by entering their password for StoriesOnBoard. If you set the Single Sign On option required users of your controlled domain will be redirected to your Corporate Identity Provider's sign in page and will be redirected back to StoriesOnBoard after a successful login. We recommend you test your configuration with the SSO optional settings and update to SSO required once your system is configured and works flawlessly.

Attribute mapping enables us to read the first and last name attributes of a user account. Since we address users by their names in StoriesOnBoard we need to be able to get this information. Please configure the variable names that hold your users' first and last names in your system. Please note we don't ask for any further information about your users.

By enabling the Single logout option StoriesOnBoard will send a notification to your Corporate Identity Provider that a logout request was made in StoriesOnBoard. You might want to use this information to logout the user from other services as well.

The logout redirect URL is an address where we redirect the users who've just signed out of StoriesOnBoard.

The Identity Provider Metadata text box is where you should paste the contents of the SAML configuration XML file. This configuration file is obtained from your Corporate Identity Provider and is referred to as SAML 2.0 configuration XML or configuration metadata. This XML file follows a SAML schema and contains all information we need to reach your Corporate Identity Provider. Please obtain this XML file from your Corporate Identity Provider and copy its content in this text box.

SP Meta Data

This tab shows you all the settings and information you might need to configure your SSO service provider. You'll find a link at the bottom of this tab which helps you download these settings in a file. Most SSO providers allow you to configure their system with such a configuration file.

Domain admins

Domain admins have right to view and modify the Domain Control settings. This tab allows you to add further administrators to your domain if necessary.

Did this answer your question?