Single Sign-on for Member Hubs

Member Hubs support single sign-on authentication of users using your organization's identity provider.

An identity provider is a service that stores and authenticates the identities that your users use to log into applications. IT resources will check with the identity provider to verify that a user is allowed to access that resource and to what degree.

Security Assertion Markup Language (SAML) 2.0 is a standard used by web browsers to enable single sign-on using secure tokens. Member Hubs supports authentication using SAML 2.0 for the following identity providers:
  • Azure
  • OneLogin

Single sign-on simplifies authentication for IT administrators, Community administrators and users, and Member Hub end-users:

  • IT administrators can manage end-user access to hubs by configuring users and groups for the organization's identity provider.
  • Community administrators and users can add end-users to hubs using system uploads or through a Community integration. They do not need to invite users to join via recruitment surveys.
  • End-users can access hubs without setting up a new account and the may be able to access the hub without signing in. If a user has recently authenticated with your organization's identity provider in their browser, they are automatically authorized when they access a hub they have permissions for. If they have not recently authenticated with your organization's identity provider in their browser, they must authenticate with the identity provider before they can access the member hub.

Setting up and configuring single sign-on typically requires coordination between a Community admin and a system administrator from your organizations IT department. The Community admin needs to enable SSO in member hubs settings and pass the member hub URLs to the system administrator. The system administrator then configures the identity provider and user and group permissions, and returns the required connection information for hubs to communicate with the identity provider.

If necessary, you can configure more than one identity provider, or more than one instance of the same identify provider. This allows you to switch identity providers or update settings without interrupting service for hub end-users.

If single sign-on is configured for a member hub, users will be able to sign in with an existing user name and password, but it is recommended that you disable this feature. Users can continue to use social sign-on from Google, LinkedIn, or Facebook.