Articulate 360 Teams: Single Sign-On (SSO)
Article Last Updated
This article applies to:
Control authentication for your Articulate 360 team using your own identity provider and our single sign-on (SSO) solution. We’re happy to help you set up SSO for your team. Find all the details below, including frequently asked questions and a glossary of SSO terms.
For troubleshooting help, visit this article.
Benefits of SSO
Articulate 360 Teams subscribers can take advantage of SSO for no additional cost. Here's how using SSO benefits you and your team:
- Increased productivity. Team members don’t waste time setting, storing, or resetting usernames and passwords.
- Improved security. Login information won’t get lost. Plus, SSO ensures compliance with your organization’s password security requirements.
- Streamlined account admin. New users get set up quickly. And when access changes due to team departures or subscription modifications, clearing users from your account is easy, preventing unwanted access.
Setting Up SSO
We can help you set up SSO for your team. Here’s how it works.
Step 1: Meet the Requirements
There are three requirements for SSO.
- You must have an Articulate 360 Teams subscription.
- You need an identity provider (IdP) that supports Security Assertion Markup Language (SAML) 2.0.
- Your team members need to have a supported version of the Articulate 360 desktop app installed—1.49.24347.0 or later. (See step 3 below.)
Step 2: Request Enrollment
When you’re ready to enable SSO for your team, send us an email at enterprise@articulate.com to request enrollment and include the following info:
- Your Articulate 360 Teams subscription number
- The name of your identity provider (IdP)
- Your SSO configuration XML output file or these details:
- The issuer URL from your IdP
- The SSO URL of your SAML app that responds to authentication requests
- The public certificate from your IdP used to validate SAML assertions
We’ll confirm your request, process your enrollment, and schedule a web conference with a Technical Account Manager to configure your SSO connection. If you prefer to manage app deployments, download the enterprise deployment guide and MSI files for the next step.
Step 3: Install the Articulate 360 Desktop App
If your team only uses web apps, such as Rise 360 and Review 360, you can skip this step.
If your team uses desktop authoring apps, such as Storyline 360, make sure your team members have a supported version of the Articulate 360 desktop app—1.49.24347.0 or later. If they’ve already signed in to Articulate 360 with an Articulate ID, they can install or update the desktop app. If you prefer to centrally manage app installations for your organization, use the enterprise deployment guide and MSI files to install the Articulate 360 desktop app on everyone’s computers.
Step 4: Conference with a Technical Account Manager
We’ll host a web conference with you to complete your SSO configuration and test the results.
Step 5: Invite Users to Join Your Team
If you haven’t already done so, add your users to your Articulate 360 team. New users receive welcome emails inviting them to join your team. Here’s what they experience when signing in to Articulate 360:
Articulate 360 Web |
Articulate 360 Desktop |
|
|
For more detailed instructions, share this article on accessing Articulate 360 apps after single sign-on is enabled.
FAQs
- Which version of SAML do we need?
- Does Articulate 360 support IdP-initiated or SP-initiated SAML?
- Can we set up SSO during our Articulate 360 free trial?
- Can we test the SSO process before we deploy it to our team?
- Can we use System for Cross-Domain Identity Management (SCIM)?
- Can just-in-time (JIT) provisioning automatically add users to our team?
- Do we need to add and remove users from our team when SSO is enabled?
- Can we use Articulate 360 groups to manage our users?
- Is Articulate 360 SSO domain-specific?
- Can we use Google (G Suite) accounts to sign in to Articulate 360 via SSO?
- Can we use multi-factor authentication (MFA)?
- Does Articulate store users’ personally identifiable information (PII) when SSO is enabled?
Which version of SAML do we need?
Articulate 360 supports SAML 2.0, so your identity provider (IdP) also needs to use SAML 2.0.
Does Articulate 360 support IdP-initiated or SP-initiated SAML?
Our SSO solution supports both IdP-initiated and SP-initiated SAML requests.
Can we set up SSO during our Articulate 360 free trial?
Yes. SSO is available during the 30-day free trial. Let us know if you’d like to sign up.
Can we test the SSO process before we deploy it to our team?
Sure! We recommend starting a separate trial of Articulate 360 and following the SSO steps above to connect with our Technical Account Managers. This ensures there’s no disruption to your Articulate 360 users while your team tests the SSO process.
Can we use System for Cross-Domain Identity Management (SCIM)?
Articulate 360 doesn’t support SCIM for provisioning and deprovisioning users.
Can just-in-time (JIT) provisioning automatically add users to our team?
While just-in-time (JIT) provisioning allows users to sign in to Articulate 360 through your IdP and provisions them with an Articulate ID (AID), users aren’t automatically added to your Articulate 360 Teams subscription. You’ll need to invite users to your Articulate 360 team using the same email addresses they use with your IdP.
Do we need to add and remove users from our team when SSO is enabled?
Yes. You need to invite users to join your team and remove them when they leave your organization or no longer need access to Articulate 360.
Since your Articulate 360 team has a fixed number of seats, your users must be managed in Articulate 360. However, with SSO enabled, authentication occurs through your identity provider (IdP), meaning passwords remain securely stored and are never handled by Articulate.
When you remove a user from your IdP, they no longer have access to Articulate 360, even if they haven’t been removed from your Articulate 360 team. This ensures your intellectual property is secure and gives team admins the opportunity to decide what happens to the user’s data.
Can we use Articulate 360 groups to manage our users?
Absolutely. Use your account management console to organize your team members in groups, such as departments or locations, and assign admins to manage each group.
Is Articulate 360 SSO domain-specific?
No. Articulate 360 SSO is subscription-specific. If you have more than one subscription, we can help you set them all up for SSO.
Can we use Google (G Suite) accounts to sign in to Articulate 360 via SSO?
Yes, G Suite works great with SSO.
Can we use multi-factor authentication (MFA)?
We’re evaluating MFA. If we decide to develop it, we’ll add it to our feature roadmap. In the meantime, we recommend enabling MFA through your IdP for an extra layer of security.
Does Articulate store users’ personally identifiable information (PII) when SSO is enabled?
Every user has an Articulate ID profile whether SSO is enabled or not. Your Articulate ID includes your first name, last name, and email address. (The email in your Articulate ID must match the email in your IdP.) Learn more about the information we store and how we use it. If you have any questions, please reach out to us at privacy@articulate.com.
Glossary
- Active Directory (AD)
- Assertion
- Assertion Customer Service URL (acsURL)
- Entity ID
- Globally Unique Identifier (GUID)
- Identity and Access Management (IAM)
- Identity Provider (IdP)
- Just-in-Time (JIT) Provisioning
- Lightweight Directory Access Protocol (LDAP)
- Metadata
- Multi-Factor Authentication (MFA)
- OAuth
- Okta
- OpenAM
- Security Assertion Markup Language (SAML)
- Single Sign-On (SSO)
- Service Provider (SP)
- System for Cross-Domain Identity Management (SCIM)
Active Directory (AD)
Active Directory (AD) is a Microsoft product for managing users, permissions, and access to network resources. Many organizations use AD to manage their teams. Our SSO solution is compatible with AD, since both support SAML communication.
Assertion
An assertion is data sent by an identity provider (IdP) that supplies one or more of the following statements to a service provider (SP).
- Authentication statements declare that a user authenticated successfully and record the time they did so.
- Attribute statements supply details about the user. For example, the NameID attribute provides the username and is required for authentication. Other attributes can be manually configured as well.
- Authorization decision statements grant or deny the user access to a resource.
Assertion Consumer Service URL (acsURL)
An Assertion Consumer Service URL (acsURL) is an HTTPS location or resource at a service provider (SP), such as Articulate, that accepts SAML messages from an identity provider (IdP).
Entity ID
The Entity ID is a unique string of letters and numbers, usually in the form of a URL, that identifies the service provider (SP). The Entity ID is also referred to as the Audience URI, and it’s often the same URL as the Assertion Consumer Service URL (acsURL).
Globally Unique Identifier (GUID)
A Globally Unique Identifier (GUID) is a string of letters, numbers, and dashes that identifies an entity. In the context of Articulate 360 SSO, the GUID refers to your Articulate 360 subscription ID. We reference your GUID (or subscription ID) in SSO commands.
Identity and Access Management (IAM)
Gartner has a great definition for Identity and Access Management (IAM):
Identity and access management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements. This security practice is a crucial undertaking for any enterprise. It is increasingly business-aligned, and it requires business skills, not just technical expertise.
Enterprises that develop mature IAM capabilities can reduce their identity management costs and, more importantly, become significantly more agile in supporting new business initiatives.
Identity Provider (IdP)
An identity provider (IdP) is a service that stores and manages a directory of user accounts or digital identities. Organizations use IdPs to manage their users and grant access to network resources. IdP examples include Okta, Azure, and Ping.
In the context of SSO, an IdP responds to authentication requests from a service provider (SP), such as Articulate, to sign users in to a service, such as Articulate 360.
Just-in-Time (JIT) Provisioning
Just-in-Time (JIT) provisioning automatically creates user accounts in an SSO solution the first time a user authenticates with their identity provider (IdP).
Lightweight Directory Access Protocol (LDAP)
Okta sums up Lightweight Directory Access Protocol (LDAP) nicely:
Lightweight Directory Access Protocol (LDAP) is an internet protocol that enterprise programs such as email, CRM, and HR software use to authenticate access and find information from a server.
The Articulate 360 SSO solution uses SAML rather than LDAP integration.
Metadata
Metadata is information supplied by an identity provider (IdP) to a service provider (SP), or vice versa, in XML format.
- SP metadata supplies the Assertion Consumer Service URL (acsURL), the Audience Restriction, the NameID format, and an x.509 certificate when the assertion needs to be encrypted.
- IdP metadata supplies the SSO URL, the Entity ID, and the x.509 certificate required by the SP to decrypt an assertion.
Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA), also called two-factor authentication (2FA), requires users to pass a second layer of security when signing in to an app or system. A common form of MFA asks users to enter a verification code, which they get via text or an authenticator app.
We’re evaluating MFA for Articulate 360. If we decide to develop it, we’ll add it to our feature roadmap. In the meantime, we recommend enabling MFA through your IdP for an extra layer of security.
OAuth
OAuth, or Open Authorization, is a standard for giving users access to third-party apps without exposing their passwords. The Articulate 360 SSO solution doesn’t involve OAuth.
Okta
Okta is an enterprise-grade identity management service that authenticates users, granting them access to apps without needing separate usernames and passwords for each app.
We use Okta to provide SSO service to Articulate 360 Teams subscribers so team members can sign in with their company identities.
OpenAM
OpenAM is an open-source access management system used by some organizations to provide SSO service to their users. The Articulate 360 SSO service is compatible with OpenAM, since both support SAML communication.
Security Assertion Markup Language (SAML)
Security Assertion Markup Language (SAML) is an open, XML-based standard for exchanging authentication data between an identity provider (IdP) and a service provider (SP), such as Articulate.
Our SSO solution uses SAML 2.0 to authenticate users in Articulate 360 based on their company identities, so users don’t have to manage a separate set of credentials for Articulate 360.
Single Sign-On (SSO)
Single sign-on (SSO) allows users to sign in to a single system, such as a company directory, and then access multiple apps without signing in to each one with separate credentials. SSO boosts productivity and lets organizations enforce their own password security requirements.
Service Provider (SP)
A service provider (SP) is a company that offers a service, such as hosting content. An SP communicates with an identity provider (IdP) to sign users in to the service. Articulate is the SP in this context.
System for Cross-Domain Identity Management (SCIM)
SCIM is an open standard for the automation of user provisioning and deprovisioning. For example, a company could use SCIM to automatically add their users to a subscription cloud service and synchronize their company profiles with the cloud service. Articulate 360 doesn’t support SCIM.