Logging in to Splash with SSO Follow
Single Sign-On (SSO) allows your team to securely log in to Splash using credentials provided by your SSO provider. This article walks through setting up SSO, logging in, and updating your account details in Splash.
Getting access
Setting up SSO is offered with Splash Professional Services and you must have a paid Splash plan.
Next, make sure you're our type. Splash supports Oauth and Security Access Markup Languages (SAML) SSO configurations. JIT provisioning is also supported, but SCIM provisioning is not supported.
Lastly, submit a services request to activate SSO for your company's Splash account.
Note: SSO is compatible with Team Manager. Read our Introduction to Team Manager article to learn more. |
Logging in to Splash on the desktop with SSO
Once you're set up, SSO will be available on the login screen.
To log in with SSO:
- Open the Splash login screen.
- Enter your email address.
- Click Log In.
- Click Login with SSO under the Password field.
- Enter your credentials.
You'll be redirected to your SSO provider to log in. After logging in, you'll be directed back to your Events Dashboard in your Splash account.
Logging in to the Splash Host app with SSO
Open the Host App and tap Organization Login (iOS) or SSO Login (Android). When asked to enter the domain of your organization, you'll need to input the domain for one of your already created events that are part of your org in this way:
- If your event is mybeautifulevent.splashthat.com, you'll need to enter "mybeautifulevent" as the domain. If your using a vanity URL, you can find the URL on this format in your Event Settings.
Editing account information in Splash
Trying to save your first and last name with no luck? Frustrating - we know.
Your SSO provider populates the first and last name shown in your Splash Account Settings. Reach out to your team administrator to have this information updated in your SSO settings so that it automatically saves in Splash.
SSO Options
Admin vs. Attendee SSO
There are two types of SSO at Splash: Admin SSO and Attendee SSO.
Admin SSO requires Splash hosts to log into the platform through an IdP (Identity Provider). Attendee SSO requires Splash attendees to view event pages through an IdP. Attendee SSO is generally reserved for internal events. As such, Admin SSO is more popular across Splash’s customer base.
Protocols and IdPs
By default, auto-provisioning is leveraged for both SAML and OAuth implementations for Admin SSO. Auto-provisioning is unnecessary for Attendee SSO, as users would not be created in Splash after they are authenticated to view the event page.
You can have both Admin and Attendee SSO implemented, however, there are a few considerations to keep in mind:
- Both protocols cannot leverage SAML.
- It's a good idea that one leverages SAML and the other OAuth.
Splash has several verified IdP partners:
- Okta
- Azure
- ADFS
- Google Auth
- Zephr
- Auth0
- ForgeRock
- PING
If your IdP is not on this list, reach out to our team and we can connect to just about anything that uses either protocol.
Implementation
Okta via SAML
If you use Okta, the implementation should be straightforward as we have a dedicated app with them.
For Admin SSO config with Okta, you can reference the following documentation: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Splash.html
One field, Org ID, is needed for setup. This is not generated until the Splash instance is created. So, you will need to wait until entering the implementation phase to begin setup.
Then, Splash will need the following in return to complete the setup:
- Exported IdP metadata
- IdP attribute names for First name, Last name and Email Address(Okta’s default are firstName, lastName and email)
SAML via other IdPs
If you leverage SAML with an IdP that is not Okta, follow the steps below to implement it.
Find the SP metadata:
- SAML SP Entity ID https://splashthat.com/users/saml/OrgID/metadata
- SAML SP (login) ACS https://splashthat.com/users/saml/OrgId/acs
- SAML SP (logout) SLS https://splashthat.com/users/saml/OrgId/sls
In return, expect to receive the following:
- IdP metadata file that we can parse. This should include:
- SAML IdP Entity ID
- SAML IdP SSO
- SAML IdP SLS (optional)
- SAML IdP x509 Cert
- IdP attribute names for First Name, Last Name, and Email Address
OAuth
If you leverage OAuth, follow the steps below to implement it.
Find the required info from Splash:
- Callback URL: https://splashthat.com/users/oauth/orgID
- Logout URL(optional): https://splashthat.com/logout
In return, provide the following:
- Client ID:
- Client secret:
- Authorize url:
- Access token url:
- Access_token content_type:
- User_profile url:
- User profile attributes:
- open id - “sub” by default, confirm if different
- full name (optional)
- first name
- last name
- State: if used in your code flow(usually applicable if you use Okta)
- Scopes: if configured on your side(for example, “openid profile email”)
What happens when you log in
If you are a current Splash user logging into Splash via SSO login links, Splash will recognize your email address and log you in as an existing user with the Role and Group assigned to you in Splash Team Manager.
If you are a new Splash user and are not part of the current Splash Team, Splash will recognize that a user with this email address does not exist and a new user will be created with the lowest role assignment of View Only role. This role does not allow the user to edit anything in Splash and will have no group assignment, meaning they do not have visibility into any existing pages. In this situation, anyone with an Admin role in Splash can go into the Team Manager tab and assign this new user the correct role they should hold and the group they should be added to.
Comments
0 comments
Please sign in to leave a comment.