The single sign on and user provisioning features allow you to manage your users in a third party identity provider (IdP) such as Microsoft azure, Okta or Google and allows your users to login through your IdP.
To enable single sign on, you must be an admin user.
Go to Account settings > Security > Single sign on
Configure the settings for your chosen IdP, there are a few instructions for some well known identity providers below.
Microsoft Azure (SSO & User provisioning)
Sign in to your azure portal and go to Azure Active directory.
Go to Enterprise applications and click "Create your own application"
Under the name option, enter a name for embed signage that will appear for your users.
Select "Integrate any other application you don't find in the gallery (Non-gallery)" as the application type and click "Create"
You do not need to add the app icon, however, if you want, you can upload a logo in the properties section, you can download an icon here.
User provisioning
To enable user provisioning in embed signage, you must be an admin user.
Go to embed signage > Account settings > Security > User provisioning
Create a token and copy this and your base URL somewhere safe as you'll need to enter it in the next steps.
You can select a role to apply to users that are provisioned, if you do not select a role, a new role will be created. You will need to update the rule to add permissions to provisioned users.
Back in Microsoft Azure, Go to the Provisioning section in the app you set up for embed signage and click "Get started"
Choose the automatic provisioning mode
Enter your base URL (Tenant URL) and Secret token and click test connection.
SSO
Go to the Single sign on section and click SAML based sign on.
Edit the basic configuration and in identifier, enter your Entity ID, you can find this in embed signage > Account settings > Security > Single sign on.
In the Reply url, enter your embed signage sign in URL, you can find this in embed signage > Account settings > Security > Single sign on.
In the Sign on url, enter your embed signage sign in URL, you can find this in embed signage > Account settings > Security > Single sign on.
In the Logout url, enter your embed signage logout URL, you can find this in embed signage > Account settings > Security > Single sign on.
Click save and then download the Federation Metadata XML in title 3.
Head over to embed signage > Account settings > Security > Single sign on.
Enable single sign on and upload the Federation Metadata XML file you downloaded earlier.
Click save changes, your account is now ready to use single sign on. Logout and test it.
Okta (SSO & User provisioning)
Login to your Okta account and go to applications.
Click "Create app integration", select "SAML 2.0" and click "Next".
Under the name option, enter a name for embed signage that will appear for your users.
You do not need to add the app icon, however, if you want, you can download an icon here.
Click "Next".
In the Sign on url, enter your embed signage sign in URL, you can find this in embed signage > Account settings > Security > Single sign on.
In the audience URI, enter your Entity ID, you can find this in embed signage > Account settings > Security > Single sign on.
Select EmailAddress as the Name ID format.
Select Email as the Application username and click "Next"
When finished, click "View setup instructions.
Scroll to where it says optional and copy the entire contents of the text box "Provide the following IDP metadata to your SP provider".
Head over to embed signage > Account settings > Security > Single sign on
Enable single sign on and paste the contents of the text box in Okta you copied earlier.
Click save changes, your account is now ready to use single sign on. Logout and test it.
User provisioning
To enable user provisioning in embed signage, you must be an admin user.
Go to embed signage > Account settings > Security > User provisioning.
Create a token and copy this and your base URL somewhere safe as you'll need to enter it in the next steps.
You can select a role to apply to users that are provisioned, if you do not select a role, a new role will be created. You will need to update the rule to add permissions to provisioned users.
Back in OKTA, Go to the General tab in the app you set up for embed signage, edit app settings and tick the box "Enable SCIM provisioning".
Save changes and then go to the newly created "Provisioning" tab.
Edit the SCIM connection and enter your base URL.
Enter "userName" as the Unique identifier field for users.
Under supported provisioning actions, select "Push New Users", "Push profile updates" and "Push Groups".
Select HTTP Header as the Authentication Mode and enter the token you created earlier into the Authorization Bearer token field and click "Save".
Google (SSO)
Login to the google admin console and go to Web and mobile apps.
Click add app and choose "Add custom SAML app"
Enter the app name as embed signage or anything else if you want.
You do not need to add the app icon, however, you can download an icon here. Click continue.
Download the IdP metadata file by clicking on the button "Download metadata" save this for later. Click continue.
Enter your Login URL as the ACS URL, you can find this in embed signage > Account settings > Security > Single sign on.
Enter your Entity ID, you can find this in embed signage > Account settings > Security > Single sign on.
Under name id format, ensure EMAIL is selected.
Under name id, ensure Primary email is selected. Click continue.
You don't need to add attribute mapping so click finish.
Head over to embed signage > Account settings > Security > Single sign on
Enable single sign on and upload the metadata file you downloaded earlier.
Click save changes, your account is now ready to use single sign on. Logout and test it.