The BrandShelter portal supports SSO, so it's possible to federate your identity provider with BrandShelter's single sign-on (e.g. Microsoft Azure AD or Okta).
To setup your IdP, you will find the following documentation 240802_EN_SSO user guide.pdf and the below attributes that will allow you to implement the IdP.
• Pour Microsoft Azure AD :
For the BrandShelter production environment
secure.brandshelter.com
-
Client id:
urn:amazon:cognito:sp:eu-central-1_FmcrLjcuB -
Reply URL:
https://bs-live-auth.auth.eu-central-1.amazoncognito.com/saml2/idpresponse -
Sign on URL:
https://secure.brandshelter.com/users/sign_in
• Pour Okta (SAML) :
For the BrandShelter production environment
secure.brandshelter.com
- Single Sign On URL:
https://bs-live-auth.auth.eu-central-1.amazoncognito.com/saml2/idpresponse - Audience restriction:
urn:amazon:cognito:sp:eu-central-1_FmcrLjcuB - Default Relay State: leave blank
- In Security/API/Trusted Origins, add
https://bs-live-auth.auth.eu-central-1.amazoncognito.comas a permitted “redirect”
• Pour Okta (OpenID Connect) :
For the BrandShelter production environment
secure.brandshelter.com
- Single Sign On URL:
https://bs-live-auth.auth.eu-central-1.amazoncognito.com/oauth2/idpresponse - In Security/API/Trusted Origins, add
https://bs-live-auth.auth.eu-central-1.amazoncognito.comas a permitted “redirect”
You must provide us with a metadata URL or document (XML file), as well as the mail domains used by their users for sign-in.
And specify the protocol used for the SSO federation, i.e. SAML or OIDC.
IMPORTANT: You can choose between 2 possible configurations for access to the BrandShelter portal after SSO activation.
1) Default Configuration 1 - BrandShelter + SSO Connection
The 2 connection methods coexist, direct connection and SSO:
- you can log in using BrandShelter direct login (username + password)
- or by using the SSO login which requires entering only your email address (or SSO username) in the "Username" field, then clicking on "Login" without entering the password to be redirected to the SSO form.
This configuration is intended to allow the addition and login of users who do not have an email address linked to SSO and who would therefore need a direct connection to the portal to access your account.
2) Configuration 2 to be enabled on demand - SSO single sign-on
We disable the BrandShelter direct connection (username + password) and only the SSO method is possible.
This makes SSO connection mandatory and inevitable to log in for all users of the account without exception.
Note 1: Each user with a username matching one of these hosts will be required to authenticate through Single Sign-On (SSO) (configuration 2). Any user of this account with a username which does not match one of these hosts will require their normal local credentials and will not be using SSO (default configuration 1). E.g. the hostname example.com will match usernames like name@example.com.
Note 2: Please note that BrandShelter does not support IdP-initiated sign-in. This means certain functionalities, such as the “embed link” provided by Okta, cannot be used for sign-in purposes, or through other authentication platforms, e.g., Azure's "My Applications" portal. All sign-ins must be initiated through the BrandShelter portal to ensure proper authentication and access.
Please ensure then that the users always start the login attempt on our portal.
User experience after SSO activation:
A user visit the BrandShelter portal. If he is already authenticated with his corporate identity provider, he's immediately signed into BrandShelter and the process stops here.
If he's not yet authenticated, the user enters his login name into the BrandShelter sign-in form.
The user is redirected to the sign-in form of his company, this could be for example the Microsoft sign-in form. After entering his credentials, the user is redirected back to the BrandShelter portal and is signed-in there.
Additional information link: