Permission required: Client administrator
SD Elements provides options for single sign-on based on common standards used by our clients. Note that you need the special client administrator account to see these settings.
Single Sign-On options for SD Elements
SD Elements provides three options for Single Sign-On (SSO):
- None: Do not use SSO. In this case, you must use SD Elements' user management features to add and remove users.
- SAML: Security Assertion Markup Language v2. This is a federated authentication standard that allows you to use a single login across organizational boundaries. For example, you can log into salesforce.com and then access SD Elements seamlessly. Typically you need a product or service that supports SAML authentication in order to use SAML. If you are interested in SAML authentication and do not have a current provider, look at the section on OneLogin below.
- LDAP: Lightweight Directory Access Protocol. This is a common authentication protocol for internal applications. Typically customers use LDAP authentication with Microsoft's Active Directory. LDAP users still need to authenticate into SD Elements, but they can re-use their existing Active Directory or other credentials rather than creating new ones. Note both LDAPS and LDAP with TLS are supported for SSO purposes.
- OneLogin: SD Element's partner, OneLogin, allows customers to use their SAML service to authenticate to SD Elements for free. OneLogin provides several options such as using your existing Active Directory instance as well as support for multi-factor authentication. You can find more details of how to use OneLogin here: http://www.onelogin.com/partners/app-partners/sd-elements
SSO allows users to access SD Elements without separate credentials. When SSO users first access SD Elements, they are automatically added to the system and given the default global role. If the default global role is a restricted permission role, such as User, then users may not be able to access many features.
In order to ensure users have a good experience the first time they log in, you should consider one of the following options:
- Give users more permissions when they log in, such as the ability to create applications and projects by changing the default global role.
- Use the Add users in bulk feature to add users by name ahead of time, granting them access to specific projects so they can be productive as soon as they access SD Elements.
- Have project leads coordinate with users offline. When users authenticate for the first time they should notify their project leads, who will then grant them access to a specific project.
Select SAML as the SSO Type in order to enable SAML. SAML configuration is an advanced topic. Please consult the SAML configuration page for details on what each field means. Contact your account representative if you have any additional questions.
LDAP / Active Directory
Select LDAP as the SSO Type in order to enable LDAP. LDAP configuration is fairly straightforward, however, troubleshooting it if it doesn't work on the first try is an advanced topic that benefits from one of our engineers in SD Elements support to schedule a time and help you through it. The setup page itself contains comments about each input and is fairly self-explanatory.
In summary, for Active Directory / LDAP integration, here is what you will need for your Active Directory admin:
- Service URI, usually in form of ldap://<host>
- Active Directory access account for SD Elements, which consists of an active directory username (referred to BIND DN in SD Elements configuration) and password (BIND Password in SD Elements configuration)
- Base DN (the DN within which to search for the user)
Please consult the LDAP configuration page for details on what each field means. Contact your account representative if you have any additional questions.