Note: SAML integration is not available at all service levels. If you do not see Single Sign On Settings under your Account Settings, and you are interested in the integration, please contact firstname.lastname@example.org to discuss having it added to your account.
Single Sign On through SAML allows you to integrate Image Relay with an external identity provider such as Active Directory (via Active Directory Federation Services) or OneLogin.
SAML is a secure, industry-standard protocol through which users from an external Identity Provider (IdP) can sign on to a Service Provider (SP) with a single set of credentials. In the case of the Image Relay integration, you would provide the IdP and Image Relay would be the SP.
Common Identity Providers that we work with are Azure, OneLogin, Shibboleth, OneLogin, ADFS, Okta.
Within your internal intranet or on your website you may provide a link to Image Relay. When users access this link, the IdP sends an SAML message to Image Relay telling it that the currently logged in user is authenticated. Image Relay, then looks up the user and if the user is found, allows access to the library. Optionally, Image Relay SAML also supports Just-In-Time user provisioning, so if the user is not found in the IR system, a user will be created with the proper email address and assigned to a default Permission group of your choice.
SAML settings are configured in Image Relay by the Master Admin only.
Click on Account Settings
Navigate to Single Sign On Settings on the left navigation bar.
Enter the SAML Settings information to get SSO up and running.
The information Image Relay needs from you or your IT department is the Login URL for your Identity Provider. This is the page that users will be redirected to on your side to be authenticated. We also need the x.509 Certificate from your IdP. This is to allow us to decrypt encrypted SAML requests and responses from you, so all communication is safe and secure.
We optionally support the IdP initialed logout process as well. In this case, you provide a URL that we respond to in the event that you send us a Logout Request.
Also, optionally, if you wish the user to be redirected to a specific page on your server when they logout of Image Relay via the Logout button, you can supply it in the Redirect URL field.
Optionally, Image Relay provides Just-In-time (JIT) User Provisioning through SAML. Users who attempt to sign on to Image Relay though Single Sign On who are properly authorized and authenticated on the IdP, but who do not have an account on Image Relay already, will automatically have an account created for them. They will be assigned to a default SSO permission group of your choice.
The system can be configured to allow certain users to only login via Single Sign On, while Administrators or other users outside your organization can be configured to log in through our standard login portal.
This is configured through Image Relay's Permission Groups. If a user is assigned a permission group that is marked as Single Sign On only, they will not be able to login though our login page, and they will not be able to manage their Image Relay username or password. Authentication for them is always handled through the IdP.
To setup the Permission group that will become Just-In-Time provisioned, and so Single Sign On only, select the one Permission group you want to update, and check the box This Group can only sign-in via Single Sign On under Single Sign On Settings. Only one role can be the JIT role.