SSO Connections (for an account)

Access:        >  Account Settings > Management > Single Sign-On

Skip to:  List  ||  Edit  ||  Lookup ||Field Mapping

A System Master (a Certain team member) can set up "Single Sign-On" (SSO) connections for an account.

An Administrator user enables these SSO connections here, and can edit their field mappings and button fields, as described below.

There are three types of SSO in Certain:

• ADMIN – For people signing in to the Certain app itself; as Event Builders, for example. (Details below.)

• ATTENDEE LOGIN – For attendees using registration forms or the Mobile web app, speakers using a Speaker Portal. or reviewers using a Reviewer Portal. (Details below.)

• CHECK-IN APP – For people using the Certain Check-In app to check attendees in at an event. (Details below.)

(See SSO Configuration and Use for an overview of SSOs in Certain.)

Available SSO Connections (List)

All existing SSOs for the current account and its parent account are listed.

To edit an SSO, click the in the Actions column, to open the Edit SSO Config pane described below.

The following information is shown for each SSO listed:

• Enabled – If this check box is selected, the SSO is available for use.
  You can select or clear the check box right here in the list, without needing to edit the record.

1. • Note: You must map fields for the SSO before you can enable it: at least First Name and Last Name. See below.
     
     Note: Only one ADMIN SSO can be active in a system at any one time.
     
     Note: Only one CHECK-IN APP SSO can be active in a system at any one time.

• Config Name – The name of the SSO, as set by Certain for your system.

• Config Type – The technical type of SSO, e.g., "OAuth2" or "SAML2".

• IDP Name – The Identity Provider ("IDP") used for authentication. For example, "LinkedIn" or "Facebook".

• Entry Points – "ADMIN", "ATTENDEE LOGIN", or "CHECK-IN APP". See details below.

• Activity – The most recent activity, including type (e.g. "Updated"), date and user name.

• Actions –

• •  – Edit the SSO. See 'Edit SSO Config', below.

Edit SSO Config

This section is displayed when you click  in the list to edit an SSO.
(It is also displayed when a Certain System Master clicks Add an SSO Config.)

Note: Once an SSO has been set up, it is rare for it to be edited.

Information Fields

• Entry Points – At least one of the three options: "ADMIN", "ATTENDEE LOGIN", or "CHECK-IN APP".
  (This is "read-only" information, except for a System Master user.)

• ADMIN – For Certain users logging in to the Certain app.
  Once signed in to their corporate system (for example, by logging in to their network), they do not have to enter another user name and password to access Certain.
  (However, they do still have to be set up as Certain users in Account Settings > Administration > Users).
  Note: Only  one  "ADMIN" SSO can be active in a system at any one time.
  Best Practice: If an account has an ADMIN SSO, then ADMIN would normally be that SSO's only Entry Point. (An example exception, probably rare, would be when an account is using forms for staff to register for events via their intranet.)

• ATTENDEE LOGIN –

• • For attendees using registration forms to register.
    Registration form entry pages can include buttons for automatically pre-filling information from LinkedIn, Facebook, Microsoft, or Google+, for example.
    (See additional fields below.)

  • For attendees logging in to a Certain Mobile web app. The Login page in the app can include an option to log in via SSO instead of username and password.

  • For speakers logging in to a Speaker Portal. The Login page in the speaker portal can include an option to log in via SSO instead of username and password.

  • For reviewers logging in to a Reviewer Portal. The Login page in the reviewer portal can include an option to log in via SSO instead of username and password.

• CHECK-IN APP – For Certain users who will be using the Certain Check-In app.
  Check-In users can log into the Check-In app by clicking the gear icon on the login page, and selecting the SSO, to log in using those credentials.
  Note: Only one 'CHECK-IN APP' SSO can be active in a system at any one time.

• Config Name – (Required) The name of the SSO. Best practice: this should be unique in the account, to ease identification.

• App ID – (Required) The unique technical ID for the SSO connection  app created by Certain for this SSO (in the separate SSOManager app).

• Config Type – (Required) The technical type of SSO. Examples: OAuth2, SAML2, etc.

• IDP Name – (Required) The Identity Provider (IDP) used for authentication by this SSO. Examples: LinkedIn, Facebook, etc.

Button

These five "Button ..." fields are available when Entry Point does not include "ADMIN" or "CHECK-IN APP", and is therefore used only for Attendee Login.

You can configure them differently for each account and sub-account. They determine the appearance of the button the registrant sees on the form, or the speaker sees on the speaker portal.

• Button Label – (Required) The text on the form button. For example, "Log in with LinkedIn".

• Button Color – (Required) The background color of the form button. Click the color picker icon to select a color and then click Set Color, or enter  the hex value (e.g., #dddddd for gray).

• Button Text Color – (Required) The color of the text of the Button Label. Click the color picker icon to select a color and then click Set Color, or enter the hex value (e.g., #000000 for black).

• Button Icon – (Optional) Click Browse to upload an icon to be used on the button (in addition to the text of the Button Label).

• Button Class – (Optional) Advanced users: Enter a class name that you can use in CSS and JavaScript, to further customize the button's appearance and localize the text.

Lookup

• IDP Fields – Select the Identity Provider fields that you will match to Certain Profile fields in the Field Mapping step below.
  (Note: Only text fields are available for mapping.)
  The fields available vary from one Identity Provider to the next.
  For example:
  • First Name (or Given Name);
  • Last Name (or Surname. or Family Name);
  • Email Address, etc.

• Profile Lookup – Select the Certain profile field to be matched against the IDP field identifying the person.
  • For example: Email, or Nameid.
  • If that field uniquely identifies a profile then the lookup can succeed with a unique match.
  • Caution: If this is the email address and the Certain account includes more than one profile with the same email, the lookup will match the most recently updated record.
  Note that you can set the  Forms (form) Registrant Details" href="https://community.certain.com/kbase/form/profile.htm" style="display: inline; font-family: Lato, Verdana, Arial, Verdana, Verdana, Verdana, Verdana, Verdana, Verdana, Verdana, sans-serif; font-size: 10pt; color: rgb(22, 7, 255); text-decoration: underline;"Registrant Details section of registration forms to enforce unique email addresses.
  • Recommended: Map the field you select to a Certain field under Edit SSO Config below.

• Look Up Profile on form re-entry also –
  Caution: Like the other settings here, this applies to every login using this SSO connection in all events in this account.
  • If not selected, then Certain will use the value of the Profile Lookup field to find a matching profile record the first time someone logs in using SSO.
  If a match is found, Certain will then "remember" that match, so even if a person who logged in via SSO later changes the value of that profile field on the Certain side, their next login will still succeed.
  • If selected, Certain will look up the profile on every SSO login, instead using the value from a successful initial login.

Edit SSO Config (Field Mapping)

This section is displayed when you click  in the list to edit an SSO for an account.

Map the fields from the Identity Provider (IDP) to their matching Profile fields in Certain.

This is required before you can enable an SSO connection.

Note: In a sub-account, you need to map these fields independently of the parent account, because the mappings are not "inherited".

You must map at least Profile First Name and Profile Last Name in Certain to the equivalent IDP fields.
(Important: Don't map them both to the same IDP field: see note below.)

• IDP Fields – Select an IDP field to map to a Certain field.
  The fields you see listed are those you selected in the IDP Fields drop-down list above.
  For example:
  • First Name (or Given Name);
  • Last Name (or Surname. or Family Name);
  • Email Address, etc.

• Certain Fields – Select the Profile Standard Field or Profile Question to be mapped to the selected IDP Field.
  For example:
  • Profile First Name,
  • Profile Last Name, etc.

IMPORTANT: Always map different, separate fields to the Profile First Name and Profile Last Name fields in Certain.

1. • For example, if your IDP fields include Given Name, Family Name and Name, then Name probably concatenates the other two.

   • So, if Given Name = "Jane" and Family Name = "Citizen", then Name would automatically be "Jane Citizen".

   • Correct procedure in this example:
     Map Given Name in IDP to Profile First Name in Certain, and Family Name to Profile Last Name.
     Both fields are used in Certain, so her name will appear as "Jane Citizen".

   • Wrong procedure in this example:
     If you mapped Name to both Profile First Name and Profile Last Name in Certain, both of those fields for that attendee would be "Jane Citizen".
     She would therefore appear to be "Jane Citizen Jane Citizen" wherever you saw her name in Certain.

• Updatable – If this check box is selected, then the Certain field is updated when a registrant logs back in after the value of the IDP field has changed (on LinkedIn or Facebook, for example) since the registrant last logged in.
  Caution: As best practice, many customers do not select this for Standard Profile Fields. This is to avoid potential problems such as inadvertently changing an email address.