PhotoShelter allows you to integrate your media library with your company’s single sign-on (SSO) system for seamless addition of employees to your Invited User list. This makes it so employees can easily login to view and download from your PhotoShelter public Portal. With the purchase of SSO, it becomes possible to distribute your important files company-wide, without manually adding employees to an address book and without asking them to create a new password for their login.
SSO Adds Users to User Group(s) Automatically
With PhotoShelter SSO, you can automatically add employees to a user group as they log in via your Portal. The Administrator and Editor(s) on the PhotoShelter account then give this user group permission to view and download galleries as they wish. (You can also hide galleries from this group, such as those containing files that are out of license or unapproved for release.) You have full control over the access you wish to provide to this employee group.
Please note SSO is not for Library Staff or Contributor login. Administrators control who is added and removed to the Library Staff and Library Staff users set their own PhotoShelter passwords for their login.
Is this just for employees?
Our SSO implementation relies on users logging in with an email address in your company’s domain. They don’t have to be employees, but they do have to have an email address in your company’s domain.
Of course, you can add other Invited Users outside of your company's active directory to your account through our normal process. You still have full control over what they can see and download.
Is SSO right for my organization?
Our SSO implementation is created with some of the most widely used (and highly secure) protocols. We’ve created a standard installation that your IT team should be able to implement without much assistance from us. Of course, this assumes that you have an IT team that is capable of the integration.
Does SSO perform a 2-way sync with our IdP/Active Directory (AD)?
Our SSO configuration performs a 1-way sync from your IdP/AD to PhotoShelter. When a user authenticates through SSO in your portal, they are added to your Invited Users list with the corresponding user information from the AD. When a user is removed from the AD, the account will still exist in PhotoShelter but the user will no longer be able to authenticate with SSO. We recommend removing users from collection/gallery permissions and any Invited User groups they belonged to. Our Product Team does plan to expand on this 2-way sync in the future.
How is user account creation handled?
PhotoShelter will create accounts in our system on the fly that include the first name, last name, and email address of the user that has authenticated through your SSO. That data will pull in from the information in your IdP/AD.
If a user has an existing PhotoShelter account, will they merge with SSO?
Yes, the accounts will unify as long as the email address the Identity Provider is sending through SSO authentication is the same as the email address you our your Library Staff/Invited Users are already using. If the email addresses are not a match, a new account will be created with the new email address and access will need to be altered within PhotoShelter to give the same access the other user once had.
SSO Product Details
PhotoShelter SSO is primarily built around a SAML2 transport layer to perform the login. SAML2 is widely available with directory services used in enterprise environments. The PhotoShelter team can provide details for implementation and a test page to verify that your assertions and keys are correctly formatted. Contact our support team if you would like more information about purchasing the SSO add-on for your PhotoShelter account.
Supported Transport Layer
● SAML 2 Transport layer
● Either SP- or IdP-initiated
● Requires email address, first name, and last name in the assertion
● Optional attribute: group (sorts SSO users into different contact groups)
● HTTPS profile using the POST method
Supported Directory Services
PhotoShelter SSO supports the use of any client-side directory service that can authenticate using SAML2. This is a long and constantly expanding list of enterprise directory services. Wikipedia provides a partial list of compatible directory services here. Below are some of the most common services used by our clients:
● LDAP - many implementations
● Microsoft Active Directory Service (Active Directory, Azure Active Directory, ADFS, and more)
Contact our Customer Success team if you would like more information about purchasing the SSO add-on for your PhotoShelter account. We can provide you with a document you can run by your IT Team to see if SSO fits in with your system and capabilities.