Articles in this section

How do I enable Single Sign-On through an IdP service?

Avatar
Travis Truett
  • Updated
Follow

Single Sign-On

Single Sign-On is included in Pro and Enterprise Packages.

In order to complete these steps, you must:

  • Be an Ambition Admin
  • Have an active, publicly accessible, SAML 2.0-enabled Identity Provider (IdP) service (Okta, Active Directory, etc)
  • If utilizing a custom domain, reach out to gethelp@ambition.com to have your domain whitelisted

Benefits of Single Sign-On:

  • Users authenticate into Ambition using company-managed credentials
  • Users already signed into company network will automatically be signed into Ambition
  • Ambition access will automatically be revoked once employees are removed from company-defined HRMS system

 

Identity Provider Set Up

Configuring the Identity Provider (IdP)

See the reference below for configuring your IdP to work with Ambition, the new service provider (SP)

Start URL: https://SUBDOMAIN.ambition.com/account-management/login/
Entity Id: https://SUBDOMAIN.ambition.com/account-management/login/
ACS URL: https://SUBDOMAIN.ambition.com/account-management/login/
Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Replace SUBDOMAIN in the URLs above with your Ambition-assigned subdomain

Confirm that your assertion response contains attributes that can be mapped to a user's first and last name.

 

Enable Single Sign-On

1. Open the left navigation and click Administration > People > Single Sign-On.

Don't see the Single Sign-On tab? Email gethelp@ambition.com to have this feature turned on for you.

Screen_Shot_2021-08-10_at_9.41.06_AM.png

 

2. Click the Enable Single Sign-On button.

If you are redirected into the SAML Integration settings upon enabling, click Administration > People > Single Sign-On to navigate back to the Single Sign-On Setup form seen in Step 3.

Screen_Shot_2021-08-10_at_9.27.05_AM.png

 

3. Complete the form.

Screen_Shot_2020-11-19_at_2.48.21_PM.png

Integration Name: Defaults to SAML Authentication. Naming convention is up to your Organization

IdP Metadata URL: The publicly accessible URL where your IdP's metadata is hosted

If utilizing a custom domain, reach out to gethelp@ambition.com to have your domain whitelisted.

There may be up to a two week wait time for IP addresses to be whitelisted.

First Name SAML Attribute: The corresponding attribute name in your SAML response

Last Name SAML Attribute: The corresponding attribute name in your SAML response

Default User Time Zone: The corresponding default time zone your Organization utilizes

 

Automatically Create Ambition Accounts on Sync (Utilizing Just-in-Time User Provisioning):

When enabled, Ambition will use a SAML assertion to create User accounts the first time the User attempts to log in to Ambition.

When disabled you must manually create accounts for desired users, otherwise they will be denied Ambition access upon initial login.

 

4. Click the Save button.

Screen_Shot_2020-11-19_at_2.48.42_PM.png

Users can now log in to Ambition with company-managed credentials.

Related articles

Comments

0 comments

Article is closed for comments.