Skip to main content

How do I setup and use the SAML Single Sign-On?

This document outlines SAML SSO setup, functionality, integration process, and features for user authentication and management.

C
Written by CX Enablement
Updated over 4 months ago

This document outlines the setup & functionality of the SAML Single Sign-On for user authentication and management. It describes the integration process, features, and steps for setup.

Key Product Benefits

  1. Simplified Authentication

    • Allowing clients to sign in through their company Identity Provider.

    • Supporting both Service Provider (SP) initiated, and Identity Provider (IdP) initiated flows.

  2. User Provisioning & Management

    • Automated user provisioning, updating and de-provisioning using SCIM.

    • Just-In-Time Provisioning for users that do not want to setup SCIM.

    • Supporting attribute mapping for custom user roles and teams.

    • Users provisioned through SAML will no longer need to go through the traditional user request approval process, which significantly reduces administrative overhead.

  3. Enhanced Security

    • Secure handling of Name ID, attributes, and authentication contexts.

    • Associated Domain Authentication to ensure users belong to the correct organisation.

Feature Description & Setup

  • This update primarily targets large organisations

  • The examples below are demonstrated with Okta as the Identity provider, however, the SAML integration works across any Identity Provider which supports SAML 2.0.

    Each IdP may have a slightly different interface for configuration, but the core setup process remains the same:

    a. Create an application within the IdP.

    b. Configure the ACS URL and SP Entity ID provided by the Service Provider (CisionOne/Streem).

    c. Map attributes like email, first_name, last_name, and custom roles.

SAML Setup (Okta Side - Required)

1. Create a new App Integration in Okta

Enter your Identity Provider admin dashboard and create a new app integration. Make sure to select SAML 2.0 if prompted with a sign-in method.

2. Copy & Paste ACS & SP Entity ID from CisionOne

  • Enter the SAML Integration page by going to Organisation → Integrations → SAML.

  • Copy the ACS URL & SP Entity ID.

  • Paste the ACS Url and the SP Identity ID in the appropriate fields. Use email address as the name ID format and use email as the Application Username.

3. Setup Attributes

  1. Setup Attribute statements via the attribute's statements section of your Identity Provider. We currently require:

    1. email

    2. first_name

    3. last_name

    4. primary_team (optional)

    5. monitoring_user_role (optional)

    6. social_user_role (optional)

    7. outreach_user_role (optional)

Inside Okta, scroll Down from the SAML Integration to reach the Attributes Statements section. Add the following attributes.

  • Make sure the required and desired optional attributes are setup in the profile editor of Okta.

SAML Setup (CisionOne - Required)

1. Copy & Paste ACS & SP Entity ID from Okta

  • After creating the application, copy the SSO URL, Identity Provider Issuer (Identity ID) and X.509 Certificate from your Identity Provider and paste it into the Integration page in CisionOne to establish the connection.

2. Setup Associated Domains

  • If you have users across multiple domains or organisations, please setup domain authentication and use the generated key to add to your DNS records. Make sure to click “Verify Domains” to properly establish the connection.

  • If users are part of multiple organisations or accounts, ensure proper domain verification across both accounts. This helps avoid routing conflicts and ensures users are authenticated correctly. If this is not setup, the user will not be able to see their alternate organisations in the organisation dropdown in the top left-hand corner and will need to sign in to their other accounts separately without SAML SSO.

3. Setup Custom Attribute Value Mapping

  • For team and user role attribute to work, the admin must map the custom attribute values inside CisionOne.

  • Scroll Down in CisionOne SAML integration and open the “Custom Attributes (Optional)” accordian.

Note: if the organisation does not have the optional attributes setup, they will be assigned default teams and roles as set up inside the CRM. If they do not have a default team, they will be assigned to no team.

SCIM Setup (Okta & Cision)

  • SCIM is independent from SAML, Okta allows us to use this specification to provision, deprovision and update users.

  • If SCIM is not set up provisioning will still be available via Just-In-Time provisioning, but updates and user de-provisioning will not be available.

SCIM Form

  • Go to the SCIM form by going into the App Integration → Provisioning → SCIM Connection.

  • Fill in the form as demonstrated below, ensure the SCIM connector base URL path is /scim/v2

  • CisionOne URL: https://identity.cision.one/scim/v2

  • Streem URL: https://identity.streem.one.au/scim/v2

  • Please use “email” as the “Unique Identifier Field for Users”

  • Select the “Push New Users” and “Push Profile Updates” checkboxes

  • Use HTTP Header as the authentication mode

  • When reaching the HTTP Head → Authorisation section, refer back to the integration page inside CisionOne.

  • Scroll to the bottom of the page to generate & copy a token. Paste this token into the Authorisation field inside the IDP.

After entering all the details inside of the Okta SCIM form, click on “Test Connector Configuration”. After testing the connection, you should see the following screen:

Enable the push actions to allow the IDP to automatically create, update and deactivate users inside Cision.

  • Now, when you add, remove or make changes to a user inside the IDP, they’ll be synched with the user profile inside Cision.

  • The Authorisation token to be used is the one generated on the SAML integration modal.

Attributes for SCIM

  • When assigning attributes for SCIM, please add the “External Namespace” field per the screenshot below.

  • Note: The external namespace for teams needs to be urn:ietf:params:scim:schemas:extension:teams:2.0:User and the external name primary_team

  • For roles the external namespace needs to be urn:ietf:params:scim:schemas:extension:roles:2.0:User

    and the external names need to be either of the below depending on the desired user role type: monitoring_user_role, social_user_role , outreach_user_role

  • Then when you add a user to the application, remove it or make changes to the user they’ll be synched with the API and Identity service.

Sign-In Flow

The integration allows for both SP-initiated and IdP-initiated authentication flows.

  1. From the IDP

    1. After setup, you should be able to see the created application inside user dashboards of your Identity Provider. When clicking on the tile, the browser will redirect to CisionOne and sign the user in. The tile will also provision the user if their user does not exist on Cision yet.

  1. From CisionOne

    1. To sign-in from CisionOne select the “Sign in with SAML” button. The user must type in their corporate email and select “Single Sign-On”. After signing in, the user may be briefly redirected to their Identity Provider and will redirect back to Cision.

If the users' email does not exist or there is an issue with their sign in, the following error message will display.

Did this answer your question?