SSO Connections (for an account)

Overview

SSO stands for Single Sign-On. A System Master (a Certain team member) can set up "Single Sign-On" (SSO) connections for an account. An Administrator user enables these SSO connections here. The Administrator can edit their field mappings and button fields, as described below.

Available SSO Connections

All existing SSO connections for the current account and its parent account are listed.

To edit an SSO, click the Edit control in the Actions column to open the Edit SSO Config pane described below.

The following information is shown for each SSO listed:

• Enabled – If this check box is selected, the SSO is available for use. You can select or clear the check box right here in the list, without needing to edit the record.
• Note: You must map fields for the SSO before you can enable it: at least First Name and Last Name.
• Note: Only one ADMIN SSO can be active in a system at any one time.
• Note: Only one CHECK-IN APP SSO can be active in a system at any one time.
• Config Name – The name of the SSO, as set by Certain for your system.
• Config Type – The technical type of SSO, e.g., "OAuth2" or "SAML2".
• IDP Name – The Identity Provider ("IDP") used for authentication. For example, "LinkedIn" or "Facebook".
• Entry Points – "ADMIN", "ATTENDEE", or "CHECK-IN APP".
• Activity – The most recent activity, including type (e.g., "Updated"), date and user name.
• Actions – Edit the SSO. See Edit SSO Config, below.

Edit SSO Config

This section is displayed when you click the Edit control in the list to edit an SSO. (It is also displayed when a Certain System Master clicks Add an SSO Config.)

Note: Once an SSO has been set up, it is rare for it to be edited.

Information Fields

• Entry Points – At least one of the three options: "ADMIN", "ATTENDEE", or "CHECK-IN APP". (This is read-only information, except for a System Master user.)
• ADMIN – For Certain users logging in to the Certain app. Once signed in to their corporate system, they do not have to enter another user name and password to access Certain. They must still be set up as Certain users in Account Settings > Administration > Users. Note: Only one "ADMIN" SSO can be active in a system at any one time. Best Practice: If an account has an ADMIN SSO, then ADMIN would normally be that SSO's only Entry Point.
• ATTENDEE – For attendees using registration forms to register. Registration form entry pages can include buttons for automatically pre-filling information from identity providers. For attendees logging in to a Certain Mobile web app, the page can include an option to log in via SSO. For speakers logging in to a Speaker Portal, the page can include an option to log in via SSO. For reviewers logging in to a Reviewer Portal, the page can include an option to log in via SSO.
• CHECK-IN APP – For Certain users who will be using the Certain Check-In app. Check-In users can log into the Check-In app by clicking the gear icon on the page, and selecting the SSO.
• Note: Only one CHECK-IN APP SSO can be active in a system at any one time.
• Config Name – (Required) The name of the SSO. Best practice: this should be unique in the account to ease identification.
• App ID – (Required) The unique technical ID for the SSO connection app created by Certain for this SSO (in the separate SSOManager app).
• Config Type – (Required) The technical type of SSO. Examples: OAuth2, SAML2, etc.
• IDP Name – (Required) The Identity Provider (IDP) used for authentication by this SSO. Examples: LinkedIn, Facebook, etc.
• Entry Points – (For Attendee) The five Button ... fields are available when Entry Point does not include "ADMIN" or "CHECK-IN APP", and are therefore used only for Attendee Login. You can configure them differently for each account and sub-account. They determine the appearance of the button the registrant sees on the form, or the speaker sees in the speaker portal.
• Button – These five "Button ..." fields are available when Entry Point does not include "ADMIN" or "CHECK-IN APP", and are therefore used only for Attendee Login.
• Button Label – (Required) The text on the form button. For example, "Log in with LinkedIn".
• Button Color – (Required) The background color of the form button. Click the color picker to select a color and then click Set Color, or enter the hex value (e.g., #dddddd).
• Button Text Color – (Required) The color of the text on the Button Label.
• Button Icon – (Optional) Click Browse to upload an icon to be used on the button.
• Button Class – (Optional) Advanced users: Enter a CSS/JS class name to customize the button appearance.
• IDP Fields – Select the Identity Provider fields that you will match to Certain Profile fields in the Field Mapping step below.
• Profile Lookup – Select the Certain profile field to be matched against the IDP field identifying the person.
• Look Up Profile on form re-entry also – If not selected, Certain will use the value of the Profile Lookup field to find a matching profile only the first time someone logs in using SSO. If selected, Certain will look up the profile on every SSO login.
• Edit SSO Config (Field Mapping) – This section is displayed when you click the pencil icon in the list to edit an SSO for an account. Map the fields from the Identity Provider (IDP) to their matching Profile fields in Certain. This is required before you can enable an SSO connection.
• Note: In a sub-account, you need to map these fields independently of the parent account, because the mappings are not "inherited".
• You must map at least Profile First Name and Profile Last Name in Certain to the equivalent IDP fields.
• IDP Fields – The fields you see listed are those you selected in the IDP Fields drop-down list above. For example: First Name (or Given Name); Last Name (or Surname or Family Name); Email Address, etc.
• Certain Fields – Select the Profile Standard Field or Profile Question to be mapped to the selected IDP Field. For example: Profile First Name, Profile Last Name, etc.
• IMPORTANT: Always map different, separate fields to the Profile First Name and Profile Last Name fields in Certain.
• For example, if your IDP fields include Given Name, Family Name and Name, then Name probably concatenates the other two.
• Correct procedure in this example: Map Given Name in IDP to Profile First Name in Certain, and Family Name to Profile Last Name.
• Both fields are used in Certain, so her name will appear as "Jane Citizen".
• Wrong procedure in this example: If you mapped Name to both Profile First Name and Profile Last Name in Certain, both of those fields would be "Jane Citizen" and the attendee would appear as "Jane Citizen Jane Citizen".
• Updated – If this check box is selected, the Certain field is updated when a registrant logs back in after the value of the IDP field has changed.
• Caution – As best practice, many customers do not select this for Standard Profile Fields to avoid changing an email address.

Notes

• This article documents the configuration and management of Single Sign-On (SSO) connections for an account.
• SSO types include ADMIN, ATTENDEE LOGIN, and CHECK-IN APP.

[End of article content]