SSO Connections (for an account)

SSO Connections (for an account)

A System Master (a Certain team member) can set up "Single Sign-On" (SSO) connections for an account. An Administrator user enables these SSO connections here. The Administrator user can edit field mappings. The Administrator user can edit button fields. These actions are described below.

There are three types of SSO in Certain:

• ADMIN — For people signing in to the Certain app itself.

Event Builders are an example.

Details are below.

• ATTENDEE — For attendees using registration forms or the Mobile web app.

Speakers using a Speaker Portal are an example.

Reviewers using a Reviewer Portal are an example.

Details are below.

• CHECK-IN APP — For people using the Certain Check-In app to check attendees in at an event.

Details are below.

See SSO Configuration and Use for an overview of SSOs in Certain.

Available SSO Connections (List)

All existing SSOs for the current account and its parent account are listed.

To edit an SSO, click the in the Actions column. This opens the Edit SSO Config pane described below.

The following information is shown for each SSO listed:

• Enabled — If this check box is selected, the SSO is available for use.

You can select or clear the check box right here in the list.

You can do this without needing to edit the record.

• Note: You must map fields for the SSO before you can enable it: at least First Name and Last Name.

See Field Mapping below.

• Note: Only one ADMIN SSO can be active in a system at any one time.
• Note: Only one CHECK-IN APP SSO can be active in a system at any one time.
• Config Name — The name of the SSO, as set by Certain for your system.
• Config Type — The technical type of SSO.

Examples include “OAuth2” or “SAML2”.

• IDP Name — The Identity Provider (“IDP”) used for authentication.

Examples include “LinkedIn” or “Facebook”.

• Entry Points — “ADMIN”, “ATTENDEE”, or “CHECK-IN APP”.

Details are below.

• Activity — The most recent activity, including type (for example, “Updated”), date, and user name.
• Actions —
• Edit — Edit the SSO.

See Edit SSO Config below.

Edit SSO Config

This section is displayed when you click in the list to edit an SSO. This section is also displayed when a Certain System Master clicks Add an SSO Config.

> Note: Once an SSO has been set up, it is rare for it to be edited.

Information Fields

• Entry Points — At least one of the three options: “ADMIN”, “ATTENDEE”, or “CHECK-IN APP”.

This is “read-only” information, except for a System Master user.

• ADMIN — For Certain users logging in to the Certain app.

Once signed in to their corporate system (for example, by logging in to their network), they do not have to enter another user name and password to access Certain.

Certain users still have to be set up in Account Settings > Administration > Users.

> Note: Only one “ADMIN” SSO can be active in a system at any one time.

> Best Practice: If an account has an ADMIN SSO, then ADMIN would normally be that SSO’s only Entry Point.

> An example exception is when an account is using forms for staff to for events via their intranet.

• ATTENDEE —
• For attendees using registration forms to .

Registration form entry pages can include buttons for automatically pre-filling information from LinkedIn, Facebook, Microsoft, or Google+.

See additional fields below.

• For attendees logging in to a Certain Mobile web app.

The [](https://community.certain.com/kbase/unifiedeventviews/.htm#sso) page in the app can include an option to log in via SSO instead of username and password.

• For speakers logging in to a Speaker Portal.

The [](https://community.certain.com/kbase/unifiedeventviews/login_spkr_portal.htm) page in the speaker portal can include an option to log in via SSO instead of username and password.

• For reviewers logging in to a Reviewer Portal.

The [](https://community.certain.com/kbase/unifiedeventviews/login_rvwr_portal.htm) page in the reviewer portal can include an option to log in via SSO instead of username and password.

• CHECK-IN APP — For Certain users who will be using the Certain Check-In app.

Check-In users can log into the Check-In app by clicking the gear icon on the page.

Check-In users select the SSO to log in using those credentials.

> Note: Only one “CHECK-IN APP” SSO can be active in a system at any one time.

• Config Name — (Required) The name of the SSO.

> Best practice: this should be unique in the account.

This eases identification.

• App ID — (Required) The unique technical ID for the SSO connection app created by Certain for this SSO.

This app is created in the separate SSOManager app.

• Config Type — (Required) The technical type of SSO.

Examples include O Auth2 and SAML2.

• IDP Name — (Required) The Identity Provider (IDP) used for authentication by this SSO.

Examples include LinkedIn and Facebook.

Button

These five “Button ...” fields are available when Entry Point does not include “ADMIN” or “CHECK-IN APP”. These fields are therefore used only for Attendee.

You can configure these fields differently for each account and sub-account. These fields determine the appearance of the button the registrant sees on the form. These fields also determine the appearance of the button the speaker sees on the speaker portal.

• Button Label — (Required) The text on the form button.

Example: “Log in with LinkedIn”.

• Button Color — (Required) The background color of the form button.

Click the color picker icon to select a color.

Click Set Color.

Alternatively, enter the hex value (for example, #dddddd for gray).

• Button Text Color — (Required) The color of the text of the Button Label.

Click the color picker icon to select a color.

Click Set Color.

Alternatively, enter the hex value (for example, #000000 for black).

• Button Icon — (Optional) Click Browse to upload an icon to be used on the button.

This icon is used in addition to the text of the Button Label.

• Button Class — (Optional) Advanced users: Enter a class name that you can use in CSS and JavaScript.

This further customizes the button’s appearance.

This localizes the text.

Lookup

• IDP Fields — Select the Identity Provider fields that you will match to Certain Profile fields in the Field Mapping step below.

> Note: Only text fields are available for mapping.

The fields available vary from one Identity Provider to the next.

• Examples include:
• First Name (or Given Name)
• Last Name (or Surname, or Family Name)
• Email Address
• Profile Lookup — Select the Certain profile field to be matched against the IDP field identifying the person.

Examples include Email or Nameid.

• If that field uniquely identifies a profile, then the lookup can succeed with a unique match.
• > Caution: If this is the email address and the Certain account includes more than one profile with the same email, the lookup will match the most recently updated record.

Note that you can set the Registrant Details section of registration forms to enforce unique email addresses.

• > Recommended: Map the field you select to a Certain field under Edit SSO Config below.
• Look Up Profile on form re-entry also —

> Caution: Like the other settings here, this applies to every login using this SSO connection in all events in this account.

• If not selected, then Certain will use the value of the Profile Lookup field to find a matching profile record the first time someone logs in using SSO.

If a match is found, Certain will then “remember” that match.

This means even if a person who logged in via SSO later changes the value of that profile field on the Certain side, their next login will still succeed.

• If selected, Certain will look up the profile on every SSO login.

Certain will use the value from a successful initial login.

Edit SSO Config (Field Mapping)

This section is displayed when you click in the list to edit an SSO for an account.

Map the fields from the Identity Provider (IDP) to their matching Profile fields in Certain.

This is required before you can enable an SSO connection.

> Note: In a sub-account, you need to map these fields independently of the parent account. > Mappings are not “inherited”.

You must map at least Profile First Name and Profile Last Name in Certain to the equivalent IDP fields. > Important: Don’t map them both to the same IDP field. > See note below.

• IDP Fields — Select an IDP field to map to a Certain field.

The fields you see listed are those you selected in the IDP Fields drop-down list above.

For example:

• First Name (or Given Name)
• Last Name (or Surname or Family Name)
• Email Address, etc.
• Certain Fields — Select the Profile Standard Field or Profile Question to be mapped to the selected IDP Field.

For example:

• Profile First Name
• Profile Last Name
• etc.

> IMPORTANT: Always map different, separate fields to the Profile First Name and Profile Last Name fields in Certain.

• For example, if your IDP fields include Given Name, Family Name and Name, then Name probably concatenates the other two.
• So, if Given Name = “Jane” and Family Name = “Citizen”, then Name would automatically be “Jane Citizen”.
• Correct procedure in this example:

Map Given Name in IDP to Profile First Name in Certain.

Map Family Name to Profile Last Name in Certain.

Both fields are used in Certain.

Her name will appear as “Jane Citizen”.

• Wrong procedure in this example:

If you mapped Name to both Profile First Name and Profile Last Name in Certain, both of those fields for that attendee would be “Jane Citizen”.

She would therefore appear to be “Jane Citizen Jane Citizen” wherever you saw her name in Certain.

• Updatable — If this check box is selected, then the Certain field is updated when a registrant logs back in after the value of the IDP field has changed (on LinkedIn or Facebook, for example) since the registrant last logged in.

> Caution: As best practice, many customers do not select this for Standard Profile Fields.

This is to avoid potential problems such as inadvertently changing an email address.