Enable Single sign-on for Bynder
Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property you can log in with a single ID to gain access to a connected system or systems without being prompted for different usernames or passwords.
Supported types of configuration
Bynder supports the 6 most common types of SSO configuration for Bynder logins: cookies, kerberos, certificates, one-time password, integrated windows authentication, security assertion markup language.
Supported standards and services
Bynder supports the most common standards and services for SSO integration using Security Assertion Markup Language (SAML), for example, Active Directory Federation Services (ADFS), OKTA, Azure, Google SSO, and Oracle.
LDAP and ADFS
If you use LDAP, you need to enable your ADFS infrastructure to authenticate users whose identities are stored in LDAP. For more information, see:Configure AD FS to authenticate users stored in LDAP directories
If you want to use Microsoft Azure, see the link for the required integration steps: Tutorial: Azure Active Directory integration with Bynder.
AD and ADFS
We encourage integrating with Active Directory using ADFS POST, Redirect SSO (with the SAML 2.0 standard).
Set up ADFS for SSO
In our standard set up, we’ve created a post redirect to Microsoft ADFS. For this, we use SAML 2.0 with SAML 1.1 assertions. Validation of messages is done with a separate certificate (in pem/x509 format - exchanged together with the ADFS metadata of the identity provider) and we support ONLY message-signed assertions. We work with XML messages that send and decrypt binary data (base64-encoded deflated).
- Configure ADFS for SSO with Bynder. If you use groups in ADFS, you need additional configuration to pass the permissions to Bynder. See how to do it for Windows Server: Implement a trust between Enterprise ADFS 3.0 on Windows Server 2012R2 .
- Decide if the users:
- should see the login page and click the Use your Company X credentials login button,
- should use auto-login. In this case, users will not see the login page but will automatically be directed to the landing page.
- prepare a federationMetadata.xml metadata file. The federation metadata file can be exported as an XML file or can be sent as a URL.To find the XML metadata from the AD, type the following URL in a browser on the AD server:
- This is a generic URL that you can always use to get your metadata information. You only need to replace the yourdomain variable with the real domain name for which you want to get data.
- You can refer to the attachment for an example of the file. You might need an app, such as TextWrangler to open the file.
- create an AD test account that Bynder can use.