Skip to main content

Single Sign-on for member hubs

Lisa Wong
Updated

Member Hubs support single sign-on (SSO) authentication of users using your organization's Identity Provider.

An Identity Provider (IdP) is a service that stores and authenticates a single identity (email and password) for each user that they can then use to authenticate with multiple applications. Security Assertion Markup Language (SAML) 2.0 is a standard used by web browsers to enable SSO using secure tokens. Member hubs supports authentication using SAML 2.0 for the following identity providers:
  • Azure
  • OneLogin

Member hubs supports both service provider initiated (SP-initiated) and identity provider initiated (IdP-initiated) SSO. The methods differ in the sign in flow experienced by the end-user:

  • SP-initiated: The user goes to the Member Hub first. The Member Hub sees that they are not signed in and redirects them to the Identity Provider to sign in. For more information, see Service provider initiated SSO for member hubs.
  • IdP-initiated: The user signs in to the Identity Provider portal first (i.e. myapps.microsoft.com for Azure or the OneLogin portal) and clicks an icon to launch the Member Hub. For more information, see Identity provider initiated SSO for member hubs.

Single sign-on simplifies authentication for IT administrators, Community administrators and users, and Member Hub end-users:

  • IT administrators can manage end-user access to hubs by configuring users and groups for the organization's identity provider.
  • Community administrators and users can add end-users to hubs using system uploads or through a Community integration. They do not need to invite users to join via recruitment surveys.
  • End-users can access hubs without setting up a new account and the may be able to access the hub without signing in. If a user has recently authenticated with your organization's identity provider in their browser, they are automatically authorized when they access a hub they have permissions for. If they have not recently authenticated with your organization's identity provider in their browser, they must authenticate with the identity provider before they can access the member hub.

Setting up and configuring single sign-on typically requires coordination between a Community admin and a system administrator from your organizations IT department. The Community admin needs to enable SSO in member hubs settings and pass the member hub URLs to the system administrator. The system administrator then configures the identity provider and user and group permissions, and returns the required connection information for hubs to communicate with the identity provider.

If necessary, you can configure more than one identity provider, or more than one instance of the same identify provider. This allows you to switch identity providers or update settings without interrupting service for hub end-users.

If single sign-on is configured for a member hub, users will be able to sign in with an existing user name and password, but it is recommended that you disable this feature. Users can continue to use social sign-on from Google, LinkedIn, or Facebook.

Related articles

Powered by Zendesk