Skip to main content
All CollectionsIT/SecuritySingle Sign On
SSO: Log in directly from user's IDP
SSO: Log in directly from user's IDP
Ha Ngan Nguyen avatar
Written by Ha Ngan Nguyen
Updated over a week ago

This article goes over how to set up logging in directly from users' Identity Provider (IDP). You can fill in the RelayState field to log in to CF directly from your IdP. Otherwise, you can use a method that uses a bookmark app, we support Okta, Microsoft Azure, OneLogin, and Duo.

Method 1: Use default federated apps in IdP Dashboard (This method uses IdP-initiated SSO)

By default, many IdPs support a built-in dashboard that shows all federated apps (such as Okta, OneLogin, Duo Security, etc.). Users can log in to the IdP and choose a specific app from this dashboard.

Please ensure that the RelayState is configured in your IdP. See “RelayState” at SSO - How to setup SSO in CF.

Some Idps (such as: PingFederate, AD FS,.etc) do not natively provide a built-in dashboard for users to see and access all federated applications. However, there are a few approaches that you can consider to provide a user-friendly interface for accessing federated applications.

  • Users can create a custom web portal that lists all federated applications and provides links for IdP-initiated SSO. This portal can be a simple web application where each link points to the IdP-initiated SSO URL for each application.

1. AD FS

  • Prerequires: make sure the below adfs-properties are set to true

    • (Get-AdfsProperties).RelayStateForIdpInitiatedSignOnEnabled

    • (Get-AdfsProperties).EnableIdpInitiatedSignonPage

  • Generate the relay state URL: click here to go to AD FS help document

  • Fill in the below fields in AD FS:

    • IDP URL String: the URL you generated

    • Relying Party Identifier

    • Relay State / Target App: copy the relayState from Gamma SSO Setting

2. PingFederate

  • Follow this part /idp/startSSO.ping in the PingFederate help document

  • Note: Creative Force only supports SAML 2.0, you must use TargetResource parameter

Method 2: Create a Bookmark Application (This method uses SP-initiated SSO)

Users can also create a bookmark application in their Identity Provider. It’s important to note that SP-initiated SSO is the best security practice. So we strongly recommend using this flow to log in directly from IdP.

To configure the bookmark app integration see the below section.

Step 1: Set up Single Sign-On within Creative Force, you can follow the instructions in this article.

This is a mandatory step, it must be complete before moving to the below steps.

Step 2: Bookmark Amazon Cognito apps in an enterprise dashboard and log in directly from user IDP.

Make sure SSO is running then copy the link and download the “App logo” from Gamma.

Step 3: Create a bookmark app

Okta

  1. In the Admin Console -> go to Applications. Click ‘Browse App Catalog’.

2. In the Search field, enter Bookmark App. Click Bookmark App integration.

3. Click Add to create a Bookmark App instance

4. In the General Settings for the Bookmark App, enter the name of the external application and the URL from creating bookmark app section under SSO settings in Creative Force. Click Done to create the Bookmark App.

5. Add logo for app

6. After creating an app, navigate to the “Assignments tab” to assign users:

  1. Click Assign to People or Groups

  2. Select user

Note:

  • Assigned people need to be activated before using SSO login

  • If you want to create new users, please navigate to Directory -> People

Microsoft Azure

  1. Login to Azure Portal

Navigate to “Azure Active Directory” in Azure Services. Or create a resource “Azure Active Directory” if you don’t have it.

2. Create new App & Integrate into Creative Force

  • Navigate to “Enterprise applications”.

  • In the tab “All applications”, select “New Application”.

  • Click “Create your own application”, input a unique app’s name. Make sure that name can not be found in the applications gallery. Click the “Create” button and wait for the app to be created.

  • After the new application is created, navigate to the “Single sign-on” in the application screen. Fill in the URL from creating bookmark app section under SSO settings in Creative Force.

  • Add logo for app: After the new application is created, navigate to the “Properties” in the application screen and select the logo you downloaded before via Gamma then Click “Save”.

3. Assign users to the new app

  • In the application screen, navigate to “Users and groups” and click “Add user/group”.

  • Click “Users” and select the accounts that you want to assign to the app and click “Select”

  • After selecting accounts, click “Assign”.

OneLogin

  1. In the Admin Console, go to Applications

  2. In the Search, input “Generic Connector (UC2)”, and enter App

  3. In the Configuration Settings for the Bookmark App, enter the name of the external application and logo for the app > Click Save to create the Bookmark App

  4. In the Configuration Settings, fill in the URL from creating bookmark app section under SSO settings in Creative Force

  5. After creating an app, navigate to the “Assignments tab” and then assign the user to the integration App

    1. Add one user, go to “User” menu/ Choose user / User Infor/ navigate to the “Applications tab”/ click on the plus sign to add an application.

    2. Add user by role: on the “Access” tab, select the user’s role and click save

    3. Note:

      1. 1 user, In menu User > User > Click the button “New user” and input information.

      2. Import user, click the dropdown “More Actions”, and select “Import User”

Duo

  1. Log in to the Duo Admin Panel, click Single Sign-On in the navigation bar on the left, and then click Duo Central > click Add tile > Choose Add bookmark title

  2. Input bookmark of information > Input URL > Click Save

  3. Enable status Duo Central

Step 4: Log in directly from user IdP

  1. Log in to Okta, Microsoft Azure, OneLogin or Duo.

  2. Click on the app you just created accordingly.

Did this answer your question?