Configure OpenID SSO

Single Sign-On (SSO) can be a big time saver for both users and administrators. By implementing one or multiple OpenID SSO flows in a portal, anyone in your network can click the SSO button on the login page to quickly login without needing a separate Bynder username and password.

SSO also allows you to automatically create new user accounts (Just in Time provisioning - JIT), which removes this manual task from portal administrators. Setting up a profile or group mapping ensures that a user account with the appropriate permission profile is created when a user logs in for the first time using SSO.

Learn more about enabling SSO for Bynder and configuring other methods of SSO here.

Caution

This article describes a self-service SSO configuration to set up one or multiple SSO flows. Contact your Customer Success Manager to confirm you portal has been enabled for Self Service SSO

Who can create and update OpenID flows

Create new OpenID SSO flows

Note

Status: Allows you to enable or disable this SSO flow. You won't be able to enable it if you have not fully configured the flow.

  1. Navigate to Settings > Advanced Settings > Portal Settings.

  2. Click Login Configuration on the left sidebar.

  3. Click New login method, then select OpenID SSO

  4. Enter a Name for the SSO flow to allow you to easily identify it, and then click Save.

    Note

    The name will only be visible within the Login configuration section. You will be able to update the label of the SSO button on the login page that appears to users.

  5. OpenID Settings: These are the settings needed to integrate with the identity provider. You can find them in the application configuration of your identity provider. For additional information contact your IdP customer support.

    • Client ID: Enter the Client ID from your SSO provider.

    • Client secret: Enter the secret from your SSO provider.

    • Scope: Enter the scopes (identifiers for resources) that you want the SSO provider to have access.

    • Authorization URL: Enter the URL where users need to be sent in order to start the authentication process.

    • Token URL: Enter the URL to exchange the authorization code for the access token.

    • JWKS URL: Enter the URL that contains the JSON Web Key Set to verify the identity token.

    • Use user info endpoint: Enable if the user's claims (information) will be fetched from the user endpoint. Enter the user info endpoint URL here.

      • If disabled, the claims will be read from the token only.

Users Provisioning

  • Just-in-time user provisioning: Click toggle_app.png enable or disable just-in-time user provisioning. Enable if you would like Bynder to create users in the portal automatically when they log in with SSO for the first time. If disabled, a user will first need to manually be created in Bynder by an admin before they can log in for the first time using SSO.

    Note

    We do not currently support automated user deprovisioning at this time.

     

    If you’ve reached the licensed user seat limit outlined in your agreement, the user will not be created. They will see an error message when attempting to log in and an error will be logged in Logs.

    • If enabled, you will need to select the Default user permission profile from the dropdown list. Users will automatically be added to this permission profile upon login unless you have added user profile mapping (see below).

    • If disabled, a user will need to manually be created in Bynder by an admin before they can log in for the first time using SSO.

  • Update users upon login: Click the toggle_app.png to enable or disable this feature and choose which attributes you would like to update upon every user login.

    • Update user attributes: Enable if you’d like to update user attributes according to the mappings defined below.

    • Update user profiles: Enable if you’d like to update user profiles according to the mappings defined below.

    • Update user groups: Enable if you’d like to update user groups according to the mappings defined below.

    Note

    Do not enable Update users upon login when you do not have relevant mappings in your Identity provider. When this feature is enabled, and if a user does not match any of the profile mappings or no profile mappings are set up, then the user will be assigned the default permission profile.

User attributes mapping

You can map Username, Email, First name, Last name, etc. attributes in Bynder with the corresponding attributes in your identity provider.

  1. Click Add attributes.

  2. Type or paste the attribute ID from your identity provider to map them to the ones in Bynder.

Note

An exact match is required.

Note

Bynder now supports the functionality to map the email and username separately. This will allow for accurate mappings if your users have usernames different from their emails.

custom_attirbutes_mapping_open_ID_SSO.png

User profiles mapping (Optional)

You can map permission profiles in Bynder with the profiles in your identity prover. This will automatically add users that belong to specific identity provider profiles to a specific permission profile within Bynder, reducing manual work for the Bynder administrator.

Note

If you’ve reached the limit of licensed users for the permission profile, the user’s profile will not be updated.

  1. Click Add profile.

  2. Enter the User profile attribute name, the name used in your identity provider for the user profile attribute. An exact match is required.

  3. Click Select profile and choose the Bynder permission profile.

  4. Add the identity provider user profile names or IDs that should be mapped to it.

  5. Click Add profile to add additional mappings.

user_profile_mapping.png

User group mapping (Optional)

You can map user groups in Bynder with the groups in your identity prover. This will automatically add users that belong to specific identity provider groups to specific user groups within Bynder, reducing manual work for the Bynder administrator.

  1. Click Add groups.

  2. Enter the User group attribute name, which is the name used in your identity provider for the user group attribute. An exact match is required.

  3. Click Select profile and choose the Bynder user group.

  4. Add the identity provider user group names or IDs that should be mapped to it.

  5. Click Add group to add additional mappings.

user_group_mapping.png

FAQ

Can I set up more than one SSO provider in my Bynder account?

Yes, you can set up more than one of the following SSO methods to allow your users more than one SSO option for logging into their portals. Learn more about enabling SSO with Bynder here.

I followed the above directions to set up SSO in my account, and my users are receiving an error when logging in.

Check out this article to view the error logs to resolve the issue.

Updated

Was this article helpful?

0 out of 0 found this helpful

We're sorry to hear that!

Find out more in our community

Have more questions? Find out more in our community