You can set up single sign on with SAML inside one or more of your Directories to enable your users to log in through your company's universal method. After setting up SSO, your users will no longer be required to set up a password in Sift itself, and may sign in without an explicit invite.
Sift supports any identity provider which supports the SAML 2.0 protocol, including
- Azure Active Directory
- and many more!
Configuring SSO on Sift
Step 1: Go to one of your created Directories
Step 2: Click the "Authentication" tab
Step 3: Flip the switch in the "Single Sign on With SAML" box to "On"
Step 4: Configure Sift as a service provider (SP) on your identity provider's website
Use the information in the first section to configure Sift as a service provider.
- The Postback URL (also sometimes known as ACS URL) is where a user will be directed after a successful sign in, and will allow you to perform IdP initiated authentication if desired.
- The Entity ID is used as a unique identifier for your SAML integration with Sift
- You must use Email Address as the name identifier for users during sign in.
- We also require the user's First Name and Last Name to be sent to us during sign in.
Step 5: Export XML metadata from your IdP's website and provide it to Sift
Your identity provider will allow you to export an XML file/string during or after setup which contains the information that Sift needs for the integration. After downloading or copying this metadata, paste it into the input box in the admin dashboard.
Step 6: Configure Attribute Mappings
Depending on your identity provider and company's configuration, your attributes may be named differently. Use the Attribute Mapping section to tell Sift what these attributes are named inside of your SAML assertion. In most cases, you can also change how these are named on your IdP's website, but we want to remain flexible.
In order to allow users to be automatically provisioned, you must provide mappings for:
- First Name - The user's first name
- Last Name - The user's last name
Additionally you may provide a mapping for:
- Primary Key - If provided, users in your directory will be matched against their defined primary key mapping rather than their email address during single sign on.
Step 7: Give it a try!
You may now attempt to log into Sift by initializing authentication inside of your identity provider, or through Sift's website by entering the email address of any user in the related directory.