Skip to main content

Knowledge Base

Configure SAML SSO

Single Sign-On (SSO) can be a big time saver for both users and administrators. By implementing one or multiple SAML SSO flows in a portal, anyone in your network can click the SSO button on the login page of the portal to quickly login without the need of a separate Bynder username and password.

SSO also allows you to create new user accounts automatically (Just in Time provisioning - JIT), which takes this manual task away from portal administrators. By setting up profile or group mapping, you can ensure that a user account with the appropriate permission profile is created when a user logs in for the first time using SSO.

Note

This SAML SSO article describes a new section available for the latest version of setting up one or multiple SAML SSO flows. You may not be using this latest version yet as we've only enabled this version for a limited number of Bynder portals.

To learn more about using other methods of SSO, click Enable Single Sign-On (SSO) for Bynder.

Who can create and update SAML SSO flows?

Users with the following permissions will be able to update the login configuration:

  • Manage login configuration

  • Manage portal settings

Create new SAML SSO flows
  • Navigate to Settings > Advanced Settings > Portal Settings.

  • Click Login Configuration on the left sidebar.

  • Click New login method, then select SAML SSO.

  • Enter a name for the SSO flow to allow you to easily identify it and then click Save. The name will only be visible within the Login configuration section. You will be able to update the label of the SSO button on the login page that appears to users.

  • Status: Allows you to enable or disable this SSO flow. Note: You won’t be able to enable it if you have not fully configured the flow.

  • Name: You can edit the name of the SSO flow. Make sure to click Apply.

  • SAML Settings: These are the minimum settings needed to integrate with the identity provider.

    • View setup instructions: Click to see all of the instructions and details needed to set up Bynder on your identity provider.

      • Click Permalink XML to access this information as an XML file.

    • [optional] Add XML file: Click to upload or paste the XML file from your identity provider. If you add an XML file, the below settings will be prefilled automatically, otherwise you will need to enter the details from your identity provider, such as Okta, Azure, etc.

    • Identity provider identifier: Enter the main identifier of your identity provider, also known as entity ID or issuer.

    • Identity provider login URL: Enter the endpoint from your identity provider where Bynder should send the login requests.

    • Identity provider certificate: Click add certificate to add the certificate from your identity provider. Multiple certificates can be added.

      • Enter the certificate name, then either upload the certificate or paste the details in the Certificate box. Click the pencil icon to edit or the trashcan icon to delete.

      • You will see real time validation for the certificate, including Inactive, Active, or Expired. If the certificate is Active, you will also see the expiration date.

  • User provisioning: Allows you to choose how you would like Bynder to handle your SSO users.

    • Just in time user provisioning: Click the toggle to enable or disable just in time user provisioning. Enable if you would like Bynder to create users in the portal automatically when they login with SSO for the first time. If disabled, a user will first need to manually be created in Bynder by an admin before they can login for the first time using SSO.

      • If enabled, you will need to select the Default user permission profile from the dropdown list. This will be the permission profile that users will automatically be added to upon login, unless you have added user profiles mapping (see below).

      • Note: We do not currently support automated user deprovisioning at this time.

    • Update all attributes upon login: Click the toggle to enable or disable this update. Enable if you'd like to update all user attributes upon every user login and according to the mappings defined below.

      • For example, if the Last name of a user changes in the identity provider, Bynder will automatically update the last name of the user as well.

    • User attributes mapping: Map Email, First name, and Last name attributes in Bynder with the corresponding attributes in your identity provider. An exact match is required.

    • User profiles mapping (Optional): Click Add profile to map user permission profiles in Bynder with profiles in your identity provider. This will automatically add users that belong to specific identity provider profiles to a specific permission profile within Bynder, reducing manual work for the Bynder administrator.

      • Enter the User profile attribute name, which is the name used in your identity provider for the user group attribute. An exact match is required for the mapping to work.

      • Select the Bynder permission profile from the dropdown, then add the identity provider profiles that should be mapped to it.

      • Click Add profile to add additional mappings.

    • User groups mapping (Optional): Click Add groups to map user groups in Bynder with groups in your identity provider. This will automatically add users that belong to specific identity provider groups to user groups within Bynder, reducing manual work for the Bynder administrator.

      • Enter the User group attribute name, which is the name used in your identity provider for the user group attribute. An exact match is required for the mapping to work.

      • Select the Bynder user group from the dropdown, then add the identity provider groups that should be mapped to it.

      • Click Add group to add additional mappings.

Update identity provider certificate

You will need to update the identity provider certificate(s) before the expiration date in order for your users to continue to login via SSO. These can be added at any time, Bynder only uses the currently active certificates when logging in.

  • Navigate to Settings > Advanced Settings > Portal Settings.

  • Click Login Configuration on the left sidebar.

  • Click the login method that you need to update the certificate for, then select SAML settings.

  • In the Identity provider certificates section, either click Add certificate or click the pencil icon next to the certificate that is set to expire.

  • Enter the certificate name, then either upload the certificate or paste the details in the Certificate box. Click the pencil icon to edit or the trashcan icon to delete.

  • You will see real time validation for the certificate, including Inactive, Active, or Expired. If the certificate is active, you will also see the expiration date.