PhotoShelter allows you to integrate your media library with your company’s single sign-on (SSO) system for seamless addition of employees to your Invited User list. This makes it so employees can easily login to view and download from your PhotoShelter public Portal. With the purchase of SSO, it becomes possible to distribute your important files company-wide, without manually adding employees to an address book and without asking them to create a new password for their login.
SSO Adds Users to User Group(s) Automatically
With PhotoShelter SSO, you can automatically add employees to a user group as they log in via your Portal. The Administrator and Editor(s) on the PhotoShelter account then give this user group permission to view and download galleries as they wish. (You can also hide galleries from this group, such as those containing files that are out of license or unapproved for release.) You have full control over the access you wish to provide to this employee group.
Please note SSO is not for Library Staff or Contributor login. Administrators control who is added and removed to the Library Staff and Library Staff users set their own PhotoShelter passwords for their login.
Is this just for employees?
Our SSO implementation relies on users logging in with an email address in your company’s domain. They don’t have to be employees, but they do have to have an email address in your company’s domain.
Of course, you can add other Invited Users outside of your company's active directory to your account through our normal process. You still have full control over what they can see and download.
Is SSO right for my organization?
Our SSO implementation is created with some of the most widely used (and highly secure) protocols. We’ve created a standard installation that your IT team should be able to implement without much assistance from us. Of course, this assumes that you have an IT team that is capable of the integration.
Does SSO perform a 2-way sync with our IdP/Active Directory (AD)?
Our SSO configuration performs a 1-way sync from your IdP/AD to PhotoShelter. When a user authenticates through SSO in your portal, they are added to your Invited Users list with the corresponding user information from the AD. When a user is removed from the AD, the account will still exist in PhotoShelter but the user will no longer be able to authenticate with SSO. We recommend removing users from collection/gallery permissions and any Invited User groups they belonged to. Our Product Team does plan to expand on this 2-way sync in the future.
How is user account creation handled?
PhotoShelter will create accounts in our system on the fly that include the first name, last name, and email address of the user that has authenticated through your SSO. That data will pull in from the information in your IdP/AD.
If a user has an existing PhotoShelter account, will they merge with SSO?
Yes, the accounts will unify as long as the email address the Identity Provider is sending through SSO authentication is the same as the email address you our your Library Staff/Invited Users are already using. If the email addresses are not a match, a new account will be created with the new email address and access will need to be altered within PhotoShelter to give the same access the other user once had.
Can I prevent other login methods on my Organization's portal by forcing users to sign in with SSO?
Yes. If you want to require that all users can ONLY sign in with their organization or university email address rather than creating a free account, please let our support team know so that we can configure this in your account.
What Attributes/Claims are required?
We require the following attributes:
- givenName
- sn
Optionally, if your Organization uses eduPersonScopedAffiliation, you can map this attribute to the mail attribute.
How does PhotoShelter handle certificate renewal?
Our system allows Organizations to have two signed certificates. Should the first certificate fail or expire, we'll automatically attempt the second certificate. If your certificate is up for renewal, please contact our Technical Support team with the new certificate so that we can add it to your configuration for you.
SSO Product Details
PhotoShelter SSO is primarily built around a SAML2 transport layer to perform the login. SAML2 is widely available with directory services used in enterprise environments. The PhotoShelter team can provide details for implementation and a test page to verify that your assertions and keys are correctly formatted. Contact our support team if you would like more information about purchasing the SSO add-on for your PhotoShelter account.
Supported Transport Layer
● SAML 2 Transport layer
● Either SP- or IdP-initiated
● Requires email address, first name, and last name in the assertion
● Optional attribute: group (sorts SSO users into different contact groups)
● HTTPS profile using the POST method
Supported Directory Services
PhotoShelter SSO supports the use of any client-side directory service that can authenticate using SAML2. This is a long and constantly expanding list of enterprise directory services. Wikipedia provides a partial list of compatible directory services here. Below are some of the most common services used by our clients:
● LDAP - many implementations
● Microsoft Active Directory Service (Active Directory, Azure Active Directory, ADFS, and more)
● Oracle
● Shibboleth
● Okta
InCommon
PhotoShelter participates in the InCommon Federation as a Sponsored Partner (listed as PhotoShelter here). We support the following InCommon attributes:
● givenName
● sn
● mail
● eduPersonScopedAffiliation
Contact our Customer Success team if you would like more information about purchasing the SSO add-on for your PhotoShelter account. We can provide you with a document you can run by your IT Team to see if SSO fits in with your system and capabilities.
Comments
0 comments
Article is closed for comments.