Configure SAML SSO

Implementing Single Sign-On (SSO) using SAML can save a lot of time for both users and administrators. With SSO, anyone in your network can simply click the SSO button on the portal's login page to quickly login without needing a separate username and password for Bynder.

SSO also allows for automatic creation of new user accounts through Just-in-Time provisioning (JIT). This eliminates the need for manual account creation by portal administrators. By setting up a profile or group mapping, a user account with the appropriate permission profile is automatically created when a user logs in for the first time using SSO.

Caution

This article describes a self-service SSO configuration to set up one or multiple SSO flows. Contact your Customer Success Manager to confirm you portal has been enabled for Self Service SSO

Who can create and update SAML SSO flows?

Create a New SAML SSO flow

Note

Status: Allows you to enable or disable this SSO flow. You can only enable it if you have fully set up the flow.

  1. Navigate to Settings > Advanced Settings > Portal Settings.

  2. Click Login Configuration on the left sidebar.

  3. Click New login method, then select SAML SSO.

  4. Enter a name for the SSO flow to allow you to identify it quickly, and then click Save.

    The name will only be visible within the Login configuration section. You can update the SSO button's label on the login page that users see.

  5. SAML Settings: These are the minimum settings needed to integrate with the identity provider.

  6. View setup instructions: Click to see all the instructions and details needed to set up Bynder on your identity provider.

    • Click Permalink XML to access this information as an XML file.

  7. [optional] Add XML file: Click to upload or paste the XML file from your identity provider. If you add an XML file, the settings below will be prefilled automatically; otherwise, you must enter the details from your identity provider, such as Okta, Azure, etc.

  8. Identity provider identifier: Enter the primary identifier of your identity provider, also known as entity ID or issuer.

  9. Identity provider login URL: Enter the endpoint from your identity provider where Bynder should send the login requests.

  10. Identity provider certificate: Click Add Certificate to add the certificate from your identity provider. You can add multiple certificates.

    • Enter the certificate name, then either upload the certificate or paste the details in the Certificate box. Click the to edit or trash.png to delete.

      Note

      You will see real-time validation for the certificate, including Inactive, Active, or Expired. If the certificate is Active, you will also see the expiration date.

      PEM/x509 is the only supported format for the certificate.

Users Provisioning

Allows you to choose how you would like Bynder to handle your SSO users.

  • Just-in-time user provisioning: Click toggle_app.png enable or disable just-in-time user provisioning. Enable it if you want Bynder to automatically create users in the portal when they log in with SSO for the first time. If disabled, an admin will need to manually create a user in Bynder before they can log in for the first time using SSO. 

    • You must select the default user permission profile from the dropdown list if enabled. Unless you have added user profile mapping, users will automatically be added to this permission profile upon login

    • If disabled, an admin must manually create a user in Bynder before logging in for the first time using SSO.

Note

  • We do not currently support automated user de-provisioning.
  • The user will not be created if you've reached the licensed user seat limit outlined in your agreement. They will see an error message when attempting to log in, and an error will be logged in to Logs.
    • Update users upon login: Click the to enable or disable this feature and choose which attributes you would like to update upon every user login.

      • Update user attributes: Enable if you'd like to update user attributes according to the mappings defined below.

      • Update user profiles: Enable if you'd like to update user profiles according to the mappings defined below.

      • Update user groups: Enable if you'd like to update user groups according to the mappings defined below.

      Note

      Do not enable Update users upon login when you do not have relevant mappings in your Identity provider. When this feature is enabled, and if a user does not match any of the Permission Profiles set or no profile mappings are set up, the user will be assigned the default permission profile.

       

User Attributes  Mapping

You can map the attributes Username, Email, First name, Last name, etc., in Bynder to the corresponding attributes in your identity provider.

Note

  • Bynder now supports the functionality of mapping the email and username separately. This will allow for accurate mappings if your users have usernames that are different from their emails.
  • By default, Bynder will use SAML NameID to map the username and email when updating or creating users.
  • To map these attributes from your Identity Provider, uncheck the checkbox and input the relevant user attribute IDs.
CUSTOM_ATTRIBUTE_MAPPING_FOR_SAML_SSO.png

(Optional)User Profiles Mapping 

You can map permission profiles in Bynder with the profiles in your identity prover. This will automatically add users with specific identity provider profiles to a permission profile within Bynder, reducing manual work for the Bynder administrator.

Note

If you've reached the limit for licensed users to access the permission profile, the user's profile remains the same.

  1. Click Add Profile.

  2. You can enter the name of the User profile attribute, the name used in your identity provider for the user group attribute.

    Note

    An exact match is required for the mapping to work.

  3. Select the Bynder permission profile from the dropdown, then add the identity provider profiles that should be mapped to it.

    Note

    If the user profile name on the IdP side does not match any of the Profile mappings set, the user will be assigned the default permission profile.

  4. Click +Add Profile to add additional Profiles to the mappings.

user_profile_mapping.png

(Optional) User Group Mapping

  1. Click Add Groups to map user groups in Bynder with groups in your identity provider.

    Note

    This will automatically add users that belong to specific identity provider groups to user groups within Bynder, reducing manual work for the Bynder administrator.

  2. Enter the User group attribute name, the name used in your identity provider for the user group attribute. An exact match is required for the mapping to work.

  3. Select the Bynder user group from the dropdown, then add the identity provider groups that should be mapped to it.

  4. Click Add Group to add additional mappings.

user_group_mapping.png

Update identity provider certificate.

For your users to continue logging in via SSO, you must update the identity provider certificate(s) before the expiration date. These can be added anytime; Bynder only uses the currently active certificates when logging in.

  1. Navigate to Settings > Advanced Settings > Portal Settings.

  2. Click Login Configuration on the left sidebar.

  3. Click the login method for which you need to update the certificate, then select SAML settings.

  4. In the Identity Provider Certificates section, click Add Certificate or click the pencil icon next to the certificate that is about to expire.

  5. Enter the certificate name, then either upload the certificate or paste the details in the Certificate box. Click the configure-users_pencil.png to edit or the trash.png to delete.

  6. You will see real-time validation for the certificate, including Inactive, Active, or Expired. If the certificate is active, you will also see the expiration date.

FAQ

Can I set up more than one SSO provider in my Bynder account?

You can set up more than one of the following SSO methods to allow your users more than one SSO option for logging into their portals. You can learn more about enabling SSO with Bynder here.

I followed the above directions to set up SSO in my account, and my users received an error when logging in.

Check out this article to view the error logs and troubleshooting tips to resolve the issue.

Updated

Was this article helpful?

0 out of 0 found this helpful

We're sorry to hear that!

Find out more in our community

Have more questions? Find out more in our community