Enabling SSO authentication for your account allows you to leverage your existing Identity Provider to manage your GoCanvas users.
Please Note
Accounts cannot use both SSO and LDAP simultaneously.
Single Sign On
SSO is especially valuable if you are managing a large number of users and need more control over who has access to their GoCanvas account.
- Navigate to the Account Settings page by expanding the Account drop down in the left navigation. If Departments are enabled, remember to switch to the All department.
- Scroll to Advanced Settings and select the Settings buttons associated with Single Sign On. If Single Sign On is not included in your plan, you will receive a pop-up requiring you to upgrade your plan.
Configuring SSO
Below the screenshot of the Single Sign On Settings page are explanations for each field.
This is the Issuer URI of the Identity Provider. This value is usually the SAML Metadata EntityID of the IDP EntityDescriptor.
Specifies whether to sign SAML AuthnRequest messages that are sent from GoCanvas to Identity Provider. When enabled, the SAML authentication request will be signed. Download the certification (open up the View setup instruction for IDP provider section) and give it to the Identity Provider that will receive the signed assertion so it can validate the signature.
Adding Users
You can add your SSO users to GoCanvas by navigating to the Users page under the Account drop down in the left navigation. Add users by selecting the Fill Seat button for any empty seat. Contact your Account Representative if you need additional seats.
If you have SSO configured within your account, the form will check the Use SSO Authentication checkbox by default. If you wish to set up any particular user without SSO for authentication, unchecking this box will present you with options for setting the user's password directly within GoCanvas.
Disabling Users
Disabling a user within your authentication server will not disable their GoCanvas account, but it will prevent them from logging in. Note that already authenticated users will remain authenticated on the web, but will be unable to log in or sync via the GoCanvas mobile application. If it's important that their access to GoCanvas be revoked immediately, disable the user on the website by navigating to the Users page under the Account drop down in the left navigation and select the Disable icon for that user.
Editing a User's Settings
At any time, you can turn off SSO authentication for their GoCanvas account by navigating to the Users page under the Account drop down and selecting the user's name, then Edit SSO Settings.
Forgotten Passwords
When a user is configured to authenticate to an Identity Provider, GoCanvas is unable to use the typical forgotten password process. Instead, when a user visits the Forgot Password form and enters their email address, GoCanvas detects that they are an SSO user and prompts them to seek help from their company IT department or help desk.
How it Works
GoCanvas uses a SP-Initiated SSO method of authenticating your users to your Identity Provider. When a user attempts to authenticate, GoCanvas looks up the identity provider settings you configured, and figures out the user's SSO settings. The request is redirected to the Identity Provider to handle authentication. If the user is not already logged on to the Identity Provider site or if re-authentication is required, the Identity Provider asks for credentials, i.e. username and password.
The Identity Provider's SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the GoCanvas. If the authentication assertion for the user succeeds, GoCanvas considers the user to be authenticated and allows him/her access. If authentication assertion fails, the user is denied access.
Did we answer your question?
Please let us know by voting below. All we ask is if you downvote, please let us know how the content can be improved in the comments!
Comments
0 commentsPlease sign in to leave a comment.