Single Sign-on allows staff members to log in to multiple applications using one set of credentials. When you add SSO to your license, your admins can log into EngagementHQ using the same username and password they use for your existing organization’s systems.
Workforce SSO will:
Streamline the login experience for staff, by allowing them to skip the registration process, so they can focus more on community engagement.
Allow you to preset admin accounts, so you can control which staff members are admins and which are participants.
Filter the Participant Relationship Manager to participant accounts created via SSO to create a dynamic participant group of staff members.
Allow you to customize the text of the staff sign-in button, which will also use your brand color.
If you would like to enquire about a demo or pricing for SSO on EngagementHQ, please contact us via chat or by emailing support@engagementhq.com.
How SSO Works
When SSO is enabled, your login screen will have a new button with the text you specify. When staff select this button, they are logged in to the homepage if they are participants or to the dashboard if you have assigned them the Site, Hub, or Project Admin role.
The login flow differs depending on whether they have logged into the work network yet:
If they are not logged into your network yet, they select the staff sign-in button and are redirected to your network portal. After logging in using their credentials, they are redirected to your EngagementHQ site homepage or dashboard.
If they have already logged into the network, they select the staff sign-in button and immediately log into EngagementHQ. They will still be redirected to the network portal so the authorization can occur, but they will not need to enter their credentials, and the redirect is not visible.
If a user logs into your site for the first time and you have not set an admin role for them, a participant account is created for them. You can upgrade their role to an administrator at any time. The Participant Relationship Manager will show which users have logged in via SSO.
The only limitation is that users who log in via SSO cannot delete projects, as we require admins to enter their password when deleting as a security. As SSO users don’t have an EngagementHQ-specific password, they cannot input their password to delete projects. There are two solutions to this:
We do not enforce SSO so you can use local accounts with EngagementHQ credentials. We recommend maintaining local admin accounts so you can delete projects and in case SSO is down.
If you do not have the credentials for a local account, you can contact our support team via chat or by emailing support@engagementhq.com, and we can delete projects for you.
Identity Providers
We offer SSO for any Identity Provider (IdP) that supports Security Assertion Markup Language (SAML). SAML-based services use communication between the user, the IdP maintaining a user directory, and EngagementHQ to authenticate the user when they attempt a login.
Examples of IdP we have worked with are:
Microsoft Active Directory Federation Services
PingFederate
Okta
Azure
F5
Google
ADFS
SAML
We do not support IdP-initiated logins.
Configuration Steps
We will provide most of the details for your connection to our Auth0, but your team will need to configure:
The user directory in the external login provider you use. This will include maintaining existing staff and creating new staff member accounts, so you may have an IT team that does this.
The login button text, which you can configure in Site Settings > Privacy and Security > Enable ActiveDirectory Signup > SSO login text. Please note that the button color is specified in Appearance > Global Styles > Brand Color.
Presetting any admin accounts for staff members that need access to the back end or upgrading participants to admin accounts with the relevant role.
If you want to enable SSO on EngagementHQ, please contact us via chat or by emailing support@engagementhq.com.