Start a conversation Sign in
Start a conversation
  1. Influitive Support
  2. Influitive - Security and Privacy
  3. Articles

SAML Overview

Overview

This article provides a comprehensive guide for implementing Single Sign-On (SSO) in an active AdvocateHub, detailing the advocate's access flow, invitation methods, and considerations for a smooth transition. It emphasizes the importance of aligning email addresses to prevent duplicate accounts and outlines the steps for accessing the AdvocateHub with SSO, including how terms and conditions are handled and the login process via the AdvocateHub App.

 

Information

 

What does the flow look like from the Advocate point of view?

The flow for the advocate is as follows:
  1. Navigate to the AdvocateHub URL
  2. There are two scenarios:
    1. If they have previously logged in to your portal and the cookie is still present in the browser then they will be brought directly to the AdvocateHub.
    2. If they have not previously logged in and have no cookie they will be invited to enter their login credentials to your platform, upon successful entry of these, they will be brought to the AdvocateHub.

Note: If an advocate is already a member of another AdvocateHub with the same email address then there is one additional step in the flow. After they successfully enter their credentials into the customer portal, they will see a message like below:

An email will be sent to the Advocate which will include a link which they just have to click on and they will be brought back to the login screen to enter their credentials once more before gaining access to the AdvocateHub.

Here is a visual walkthrough of the flow the Advocate will experience:

How do invites work with SSO?

You can get Advocates into your hub in a number of ways:

1. Join Code/Join URL - These work exactly the same as they would on a non-SSO hub. Read more on them here

2. As enabling SAML means anybody with access to your Identity Provider can access Influitive, you can also provide your Advocates with just your hub URL and they will be able to access. The disadvantage of this is the lack of segmentation.

3. You can send out traditional email invites from our system or Marketo. If you send these the Advocate must use the link provided in these emails or else they may encounter permission issues.

 

Things To Think About If Implementing SSO On An Active Hub

If your hub is up and running and has many Advocates already joined up this could cause some issues that can be overcome with some preparation and thought.
Let's take this example, if I have signed up to your AdvocateHub using the email address sean@gmail.com but the email address I use for your product or portal is sean@influitive.com.
In this case, I try to access the hub and am directed to your product or platform to complete the login process. I enter sean@influitive.com and my password and enter the hub successfully but now I will have a brand new account setup as the AdvocateHub did not have an email address sean@influitive.com present, it was looking for sean@gmail.com.
 

What can you do to prepare for this?

We recommend coming up with a strategy of sending communications to your Advocates notifying them of this changeover and letting them know they have to update their email address to match whatever email address they use to access your product or platform. You can do this through email blasts or with a challenge or a combination ideally to try and catch as many people as possible. If Advocate's fall through the cracks we can fix this up for you by merging the duplicate accounts including points and badges but this may take some time to do.
Another method you could use to preempt this issue is to gather all the email addresses of your Advocates in the AdvocateHub and then check them against the email addresses in your database. If there is no match for an email address then you can create an account in your database with this email address. This way the person can continue to use the email address they have been using in the AdvocateHub and no duplicate Advocate accounts will be created.

Can I have Employees access the AdvocateHub via SSO but Customers access using the traditional method?

Using SAML , no, anybody who has an account setup in the platform you are utilizing SSO in will be able to access the AdvocateHub. This is a case of all or nothing. If you want to use SSO then everybody has to login using it. So for example, if you have employees who have accounts in your portal they can login through SSO, but if you have customers who don't have an account in your portal they have no way to login when SSO is enabled in your AdvocateHub.

 

Where are the 'Terms and Conditions' and Consent housed when using SSO?

If it is important for you to present advocates with your terms and conditions prior to them logging into the AdvocateHub then you can do this easily:
You can set the Terms & Conditions under Settings > Advocate Program > Advocate Consent . Read more on how to configure this page
Once you have this configured, save it and navigate to your AdvocateHub URL where you should be directed to your IdP where you can enter your credentials. Upon successfully entering your credentials you will be brought to the hub Terms & Condition / Consent page. After you agree to conditions and you will be brought into the AdvocateHub
 

How does the AdvocateHub App work with SSO?

The process is as seamless on the AdvocateHub App as it is on your desktop. Let us have a look at the flow when logging in to an SSO enabled AdvocateHub;
1. Opening the AdvocateHub App, you will be greeted with a screen like below. The advocate can hit any of the social sign in buttons in order to access the AdvocateHub as long as they have associated any of them previously with their advocate profile. They will be instantly brought to a list of the AdvocateHubs they have access to. The advocate can also enter the email address associated with their AdvocateHub account and hit Continue which will take them to another screen before they can see their list of AdvocateHubs.

2. If the advocate has no social authentications tied to their account and have entered their email address then they should see this option below, here they will have to send a sign in link to their email address. They should instantly receive an email with a link that they will need to follow.

3. Once they follow the link they receive they will be brought back into the AdvocateHub App and will see a list of the AdvocateHubs they have access to.
4. Finally, they click on the AdvocateHub they want to enter and voilá!

 

FAQ

How does an advocate access the AdvocateHub using SSO?

An advocate can access the AdvocateHub by logging into the customer portal with their email address. If they are a member of another hub with the same email, they will receive an email with a link to log in again before accessing the AdvocateHub.

Can invites to the AdvocateHub be sent with SSO enabled?

Yes, invites can be sent using a Join Code or URL, direct hub URL access, or traditional email invitations, ensuring advocates use the specific link provided to avoid permission issues.

What should be considered when implementing SSO on an active AdvocateHub?

It's crucial to ensure that the email addresses for the hub and your product or portal match to avoid creating duplicate accounts. Inform users about the SSO implementation and encourage them to update their email addresses in the hub.

How are 'Terms and Conditions' handled with SSO in the AdvocateHub?

Terms and Conditions can be set up in the AdvocateHub settings, and advocates will be presented with them after authenticating with their Identity Provider and before accessing the hub.

How does the AdvocateHub App work with SSO?

The AdvocateHub App allows advocates to log in seamlessly by either using social sign-in (if previously linked) or by requesting a sign-in link to their email. After following the email link, they can access the AdvocateHubs available to them.

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments