Enabling SAML Single Sign-On

SAML Single Sign-On is a mechanism that leverages SAML allowing users to log on to multiple web applications after logging into the identity provider. As the user only has to log in once, SAML SSO provides a faster, seamless user experience. Okta, OneLogin, and OAuth0 are the main SAML SSO providers.

SAML SSO is easy to use and more secure from a user perspective as they only need to remember one set of user credentials. It also provides fast and seamless access to a site as every application they access does not prompt them to enter a username and password. Instead, the user logs into the identity provider and then accesses the relevant web application by clicking on its icon or navigating to the site via its URL. Learn more.

SAML SSO Flow

Once this option is enabled on your site, users will be able to log into the site without the need to manually create an account or insert a username and password. Users will see the options on the site login page to log in/sign up via their credentials on SAML SSO providers. You can change this login button text or hide it from the site log-in page.

Create new staff: In the SAML SSO settings, if the "Create new staff" toggle is enabled, as soon as a user clicks on login/sign-up via the option enabled by SAML, Bettermode will create a staff account for the user in the site if the user does not exist in the site already. These staff accounts can get an Admin or Moderator role later (How to assign roles). If this toggle is disabled, Bettermode will show an error and won't create an account for the user. This way, you will make sure that only your staff will be able to register with the site using the SAML option.

Login button text: Let's say that you are using Okta (SAML provider) for your admin/staff sign only. In that case, you might not want all the site users to see the staff login option on the site login page. To hide this option, from the site SAML SSO setting, you can simply leave the "Login button text" empty. Therefore, your staff can log in to their Okta account, and log in to the site from there, along with all other apps that they have access to via Okta.

How to set up SAML SSO in my Bettermode site

  • Login to the site using your admin account.

  • Navigate to the Administration > Settings > Authentication > enable SAML toggle.

  • From the SAML settings page, fill out the required credentials.

  • Turn on the "Enable SAML" toggle from the bottom of the page and click on the "Update" button to save the changes.

SAML SSO Settings

  • Identity provider single sign-on URL

  • Identity provider issuer/entity ID

  • X.509 certificate
    The above credentials should be copied from your SSO provider. For example, if your SSO provider is Okta, you need to login into your admin account on Okta and copy this information from there. Each SSO provider has an instruction on where to find these credentials.

  • Create new staff: If the authenticated SAML user is not a site member, create a new staff member for them automatically.

  • Login button text: Show the SAML authentication button in the log-in and sign-up page with this text. Leave it empty if you don't want the button to be publicly available.

  • Service provider (SP) details:

    • Single sign-on URL: Use this value for "Single sign-on URL", "Recipient URL", and "Destination URL" in your SAML provider.

    • Audience restriction: Enter this value in your SAML provider if it requires audience restriction.

Related Topics:

Contact Us

Do you still need help? Learn how to get in touch with the Bettermode Team.