Single sign-on (SSO) is a means of allowing your users to authenticate against a single identity provider to access your corp. We support both SAML 2.0 and Google Apps SSO (OAuth 2.0).
How do I enable Single Sign-On?
Single sign-on can be enabled by Owners on the User Authentication page in the Corp Manage menu. In the Authentication section, click either Switch to SAML or Switch to Google Apps.
Enabling SAML Single Sign-On
In your identity provider
If you use Okta or OneLogin, you should be able to search for the “Signal Sciences” application. Otherwise, configure an application with the following settings:
- Recipient/Consumer URL:
- Audience URI (SP Entity ID):
- Consumer URL Validator:
A few things to note if you’re self-configuring:
- We require a signed SAML response, but don’t care about individually-signed assertions. They won’t hurt anything, but they will be ignored. Ensure your overall response is signed.
- You must allow SP (Service Provider) initiated logins to complete the handshake that sets up SAML (see below). Once that’s complete, you will be able to use IdP (Identity Provider) initiated logins.
- We do not publish metadata at present, but may in the future.
Note: If using PingFederate as your SSO provider, you will need to deselect “Require authn requests to be signed when received via the post or redirect bindings” and “Always sign the SAML assertion” settings under the “Signature Policy” settings.
In Signal Sciences
After clicking Switch to SAML, you’ll be required to specify the SAML 2.0 Endpoint and x.509 public certificate from the app configured in your identity provider.
Enabling Google Apps Single Sign-On
Google Apps Single Sign-On uses OAuth 2.0 to authenticate. After clicking Switch to Google Apps, you’ll be redirected to Google to authenticate. The domain of the email you authenticate against will be used as the SSO domain for the corp.
After you’ve authenticated, you’ll be redirected back to Signal Sciences. You will be shown the domain you selected and be required to enter your password to confirm. If you chose the wrong domain, change the domain by clicking Switch domains.
What if the email from my identity provider doesn’t match the email in my Signal Sciences account?
If the email from your identity provider doesn’t match the email in your Signal Sciences account, you will be alerted that your Signal Sciences email will be changed to your identity provider’s email when you enable SSO.
If the email you choose doesn’t match the email in your Signal Sciences account and conflicts with an email already in the system, you will be shown an error message and be required to choose another email.
After enabling Single Sign-On
Once you enable SSO, the passwords/2FA tokens for any existing users will be deleted, and they’ll be sent an email to set up SSO on their accounts. This email will be valid for 3 days.
If the SSO binding link expires, resend it by clicking the Resend SSO email button next to the Pending SSO status in the Users panel on the User Management page.
To enforce SSO, all other users will have their active sessions expired.
What do existing users see when I enable single sign-on?
Existing users will receive an email telling them that they need to set up single sign-on to authenticate against Signal Sciences. Once they successfully configure SSO, they will receive an email confirming the change.
If they attempt to sign in before following the SSO link in their email, they will receive an error message telling them that SSO has been enabled for their corp and to follow the link in their email.
What if an existing user authenticates with an email address in their identity provider that doesn’t match the email in their Signal Sciences account?
If the email they authenticate with in their identity provider doesn’t match the email in their Signal Sciences account, they will be alerted that their Signal Sciences email will be changed to the email address of the identity provider when they finish authenticating their account.
If the email they choose doesn’t match the email in their Signal Sciences account and conflicts with an email already in the system, they will be shown an error message and be required to choose another email.
What if an existing user didn’t receive the SSO email?
If the existing user didn’t receive the email or the SSO link expires, resend it by clicking the Resend SSO email button next to the “Pending” SSO status next to the user’s name in the Users panel on the User Management page.
What do new users see when I enable single sign-on?
When new users accept an invitation, they’ll be prompted to authenticate via the identity provider associated with the corp.
How does sign-in work?
When users visit the Signal Sciences sign-in page, they’ll need to enter in their email.
If the corp has single sign-on enabled, they will be prompted to authenticate with SSO or will be automatically signed-in if they’re already authenticated. If SSO is not enabled, they’ll be prompted to enter their password.
If they authenticate with an email that is different from the email they entered, they will receive an error message.
What happens if I have two-factor auth enabled?
When single sign-on is enabled, all passwords and 2FA tokens are deleted. 2FA is not enforced and we recommend you configure two-factor auth with your identity provider.
How do I disable single sign-on?
Owners can disable single sign-on for all users on the corp. After disabling single sign-on, all other users in your corp will have their active sessions expired. They will receive an email with a link to set a new password, informing them SSO has been disabled. All users will need to set new passwords to log back into the Signal Sciences console.
Log in to the Signal Sciences console.
Select a site if you have more than one site.
From the Corp Manage menu, select User Authentication. The user authentication menu page appears.
To the right of Signal Sciences built-in authentication, click Switch to built-in auth. The set password page appears.
You are required to set a new password for your user before disabling single sign-on to prevent you from being locked out of the Signal Sciences console. In the Password field, enter your new password.
Can I set specific users to bypass single sign-on?
If your corp has Single Sign-On enabled, an Owner user can set a user to bypass SSO, which allows them to log in to the Signal Sciences console via username and password without needing to authenticate through your SSO provider.
Log in to the Signal Sciences console.
From the Corp Manage menu, select Corp Users. The Corp User management page appears.
Click on the user you want to bypass SSO. The view user page appears.
Click Edit corp user. The edit user page appears.
Under Authentication, select Allow this user to bypass Single Sign-On (SSO).
Click Update user.
Do you support automatic provisioning, or deprovisioning?
We don’t support automatic provisioning / deprovisioning at this time. If this is something you’re interested in, reach out to us with your use case.
What is a single sign-off endpoint (SAML Logout Endpoint)?
If your corp’s IT department determines you need to use a custom logout URL to handle logout redirects and cookie updates, it is possible to supply an optional logout endpoint. There are no parameters necessary, the browser will do a GET request and follow any sign-out/redirects supplied by your IT department.