If your organization uses Single Sign On, learn how to add Uberflip to the list of applications your SSO provider can control access to.
Before you Begin
- To set up SSO with Uberflip, you need to be the Primary User on your Uberflip account.
- You will also need to have your SSO IdP already set up and in place to use Uberflip with it.
- In most cases, your organization's IT department will have to set up SSO for you.
Using Single Sign-On for Uberflip
Most of us use a bunch of different software tools for work — and with many of those tools living in the cloud, this means a separate set of login credentials for each one. Since having to remember a lot of different usernames and passwords is hard, a lot of companies are turning to Single Sign-On (SSO) services to solve this problem.
If you already use SSO in your company, you can set up SSO with Uberflip as well. This allows you to add Uberflip to the list of apps that your SSO provider can grant access to, making it easier for your users to log in. Plus, if your organization is very large, using SSO also means you don't have to manually create dozens (or hundreds!) of users in Uberflip, as the SSO provider can take care of this for you.
When you enable SSO for Uberflip, here's what the experience will look like for your users:
- When they go to the Uberflip login page, they will see the Username prompt, as normal:
- When they click on Next, they will also see the normal Password prompt. However, this will also include an additional button to log in with your SSO provider instead:
- Clicking on this button will take your users straight to your regular SSO login page. If you have enabled user provisioning through your SSO, a brand new user who logs in via SSO will automatically have an Uberflip account created for them.
What You'll Need
To use SSO with Uberflip, you'll need an SSO service, known as an Identity Provider (or IdP) that is already set up. This article won't teach you how to set up an SSO in general — just how to add Uberflip to your existing SSO service. If you don't currently use SSO, you won't be able to proceed until you have configured your IdP.
You can use any IdP you like, but here are some of the popular ones we work with:
You'll also need certain details about your IdP in order to complete the configuration on Uberflip's end. This information will be provided by your IdP service. In general, we recommend that you let your IT department handle this part of the setup.
Set up an IdP in Uberflip
You can set up and enable a new IdP at any time, or make changes to an existing setup.
- Log in to Uberflip.
- In the top right corner, click on your name, then click on Account Settings.
- In the sidebar menu on the left, click on Security to expand that section, then click on Identify Provider Settings.
- Now, click on the Create a New IdP button on the right. At this point, we recommend handing over to your IT person to complete the rest of the steps.
- The Create a New Identity Provider form will appear, and you should be on the first of two tabs, labelled Basic IdP Settings.
- To set up SSO, you will need to fill out this form with details provided by your IdP. See Reference: Basic IdP Settings below for help.
- When you're ready to enable SSO and allow your users to log in to Uberflip via your IdP, toggle the switch next to Enabled to the on (green) position, then click on the Save button.
- This will add the IdP to your list of Identity Providers, and will immediately turn on the SSO option on your Uberflip login page.
- If you want to disable SSO via this particular IdP at any time, simply return to Security > Identity Provider Settings, click on the IdP you want to disable to view its settings, then toggle the Enabled switch back to the off (grey) position.
Reference: Basic IdP Settings
The fields on the Basic IdP Settings form correspond to standard IdP details as defined in the SAML standard specification, so the necessary details are easy to obtain from virtually any IdP.
There are three ways you can fill out this form:
- XML: Most IdPs provide an XML metadata file which contains all the required information. To use this option, download the XML file from your IdP, then click on the XML button to upload the file to Uberflip.
- URL: Some IdPs allow applications (like Uberflip) to simply download the XML metadata file directly from the IdP using a special URL, bypassing the need for you to upload it manually. If this option is available to you, get the URL from your IdP, then simply click on the URL button and paste (or type) in the URL.
- Manual: If your IdP does not provide an XML metadata file, you can also type in the required information by hand. You should use this option only if you can't use the XML/URL options.
The fields on the form are as follows:
- Name: An (arbitrary) name to identify this IdP in the list displayed under Security > Identify Provider Settings.
- Description: A description shown next to the name (as above).
- Login URL: The URL that is used to log in with your IdP.
- Identity Provider Entity: The IdP's unique entity ID.
- Identify Provider Certificate: The security certificate provided by your IdP.
- Pull Identity From: Defines which field in the IdP will be used to identify the user. The choices are:
- The assertion's subject's name identifier: Use the SAML NameID defined in the SAML assertion to identify the user.
- An assertion attribute value: Use a custom attribute field to identify the user. Specify the attribute field to be used in the text box provided.
- Map Identity To: The field in the Uberflip user profile that the selected identity value from the IdP will be mapped (written) to.
Enable User Provisioning
If you want, you can optionally enable user provisioning, which will create new users in Uberflip the first time they log in using your IdP. This can be useful if your organization has a lot of Uberflip users, and user creation is a routine, ongoing task.
Before you enable this setting, keep in mind that you must do some prep work in your IdP for it to work properly! Uberflip uses the concept of User Groups to control application permissions, so all new users must be assigned to a Group to be able to use Uberflip. Users created with no Group membership will be assigned to the All Users group by default, which has no permissions — and no access to any part of the Uberflip application.
As a result, if you want to use SSO user provisioning for Uberflip, you must ensure that you have created an attribute for Groups in your IdP, and have assigned Groups to the appropriate users. See below for more information.
- To enable user provisioning using your IdP, go to Account Settings > Security > Identity Provider Settings and click on your IdP in the list on the right to edit it.
- On the right, click on the User Provisioning tab.
- Toggle the switch next to Create new Users via SSO to the on (green) position.
- When you turn on the user provisioning setting, the Attribute Name fields below it will become editable. These fields define how Uberflip will use information from your IdP to fill out the user profiles of new users created by IdP. For help, see Reference: User Provisioning Settings below.
Reference: User Provisioning Settings
If you enable the Create new Users via SSO setting, the settings page will allow you to edit the values under the Attribute Name column. These values indicate which attribute in your IdP will be used to populate the corresponding user profile field in Uberflip. For example, it will fill in the user's First Name using the User.FirstName field from your IdP.
By default, the IdP attributes are prepopulated with standard attribute field names which are common to most IdPs. If you actually use a different attribute name in your IdP for any given attribute, you can edit the value in the appropriate Attribute Name field. For example, if Email Address actually corresponds to User.EmailId (rather than the prepopulated User.EmailAddress field) in your IdP, fill that in instead.
The Uberflip Field Groups defines which Group(s) the user is assigned to, and therefore what Uberflip permissions they have. To ensure functionality for users created via your IdP, it is critical that you define the appropriate Group(s) for each user in your IdP.
By default, Uberflip will look for the User.Groups attribute in your IdP to set a user's Group membership upon creation. This attribute name is arbitrary, and likely does not exist in your IdP. You must therefore create it, and populate it for each User with the appropriate Group ID from Uberflip in your IdP. (Alternatively, you can also create or use a different attribute, and simply type in the appropriate value into the Attribute Name field for Groups).
The Group ID is a unique numeric code that identifies a particular Group in your Uberflip account. To find a Group ID, go to Account Setting > Organization > Groups and click on the Group, then look at the URL. The Group ID for that group is the string of digits at the end of the URL, like this (in bold):
To assign a user to one or more Groups when they are created via IdP, you must:
- Create a User.Groups (or similar) attribute in your IdP
- Obtain the Group IDs for all groups in your Uberflip account
- Assign the appropriate Group IDs to each user (to assign a user to multiple Groups, list each Group ID separated by a comma)
For example, say you want to assign the user John Smith to the Sales Reps and Authors Groups when they first log in to Uberflip. If the Group IDs are 1234567 (Sales Reps) and 7654321 (Authors), their IdP profile wouild look like this:
- User.EmailAddress: email@example.com
- User.FirstName: John
- User.Groups: 1234567,7654321
This would result in the following user profile:
Update on Login Setting
For each field except Email Address, you can enable or disable the Update on login? setting. If this setting is enabled for a field, the corresponding information will be updated on the Uberflip user profile if it has changed in the IdP since the last time the user logged in. For example, if a user's User.Groups attribute value has been changed in the IdP, their Group membership in Uberflip will be updated accordingly the next time they log in.