Single Sign-on (SSO) for ElevenOS and Site Manager

Single sign-on (SSO) reduces password fatigue and enhances security by reducing the attack surface with your organization. Enable SSO for your users to access ElevenOS or Site Manager with their managed account credentials in your identity provider (IdP). Learn how to get started and what Eleven requires to make a connection with your IdP.

Requirements

• An IdP capable of making Security Assertion Markup Language (SAML) or OAUTH 2.0 SSO authentication assertions
• The IdP metadata file
• ElevenOS administrator users and/or Site Manager team members
• Configured Role Templates for SSO into ElevenOS (not required for SSO into Site Manager)

Get Started

Contact Eleven at support@elevensoftware.com and let us know you would like to enable SSO into ElevenOS and/or Site Manager using your IdP. Please provide the following at this time so that Eleven can initialize setup:

1. Your IdP metadata file.
2. Either a username or NameID that will be used as a subject. The username or NameID should end with a domain name that Eleven can add to the allowlist for your integration.

   For example: jdoe@example.com@exampletoallowlist.com

Next Steps

Prepare your administrator account users and/or Site Manager team members for configuration:

1. If you are configuring SSO into ElevenOS, you must use Role Template Ids to properly authenticate your users. Role Templates are custom, reusable groupings of administrative account roles. The SSO authentication process uses the Id associated with a Role Template to assign users their expected roles and permissions when they authenticate with SSO. See Role Templates for Single Sign-on (SSO).
2. If you are configuring SSO into Site Manager, you do not need to use Role Templates, but you do need to add your Site Manager team members. See How to Add Team Members to a Site Manager Team.

Once initial setup is complete on the Eleven side, we will provide you with a metadata file in return, in the form a standard XML document. Use this file to create two-way communication with your IdP.

Authentication for ElevenOS

Configure your IdP to pass your users' identity, top level Org Id, and Role Template Id to ElevenOS. The claim in the authentication assertion payload should contain:

• username
• email
• first name (optional)
• last name (optional)
• top level Org Id
• Role Template Id

The top level Org Id is the highest level Org the user should see when logged in. See How to Find an Org's Type and Org Id for help identifying Org Ids.

The Role Template Id is the Id associated with the specific role the user should have when logging in. See Role Templates for Single Sign-on (SSO).

Authentication for Site Manager

Configure your IdP to pass your users' identity and authorization levels to Site Manager. The claim in the authentication assertion payload should contain:

• username
• email
• first name (optional)
• last name (optional)
• role
• siteid
• teamid

There are four supported roles you can pass depending on the access you want to grant a user:

1. Site Admin
2. Site User
3. Team Admin
4. Team User

See Understanding Site Manager Team Roles to learn more about permissions for the roles.

Related

• ElevenOS - Understanding Administrative Account Roles
• Role Templates for Single Sign-on (SSO)
• Understanding Site Manager Team Roles