Arlo supports single sign-on on the management platform for administrators and on your checkout for customers to login using a SAML Identity Provider.
SSO allows you to securely manage your administrators' access to Arlo by integrating with your company’s central directory and authentication solution. You’ve probably used your Google, Facebook or Microsoft Azure login to access other online apps. This is an example of SSO.
The Service Provider agrees to trust the Identity Provider to authenticate users. In return, the Identity Provider generates an authentication assertion, which indicates that a user has been authenticated.
SAML is a standard single sign-on (SSO) format. SAML works by passing information about users, logins, and attributes between the identity provider and service providers. Each user logs in once to Single Sign-On with the Identity Provider, and then the Identity Provider can pass SAML attributes to the Service Provider when the user attempts to access those services. Since both of those systems speak the same language – SAML – the user only needs to log in once.
Better security control
SSO on the management platform is very important from a security perspective.
Organisations use an extensive library of software these days. The challenge is that they need to be able to control access to these systems through a single authentication system.
When staff members come and go from a business, they need to centrally manage access to key systems. From a security perspective, if a person leaves, they need to be able to instantly remove users from all software so they cannot access it.
This is why you should use SSO. This is specifically important for Arlo which deals with large amounts of PII (Personal information).
Better usability for staff
Having to remember lots of passwords for different systems can be painful and time-consuming. With SSO staff don't have to remember lots of passwords for different systems, they can use one password for all.
Seamless experience for customer registrations:
If you don't have any external SAML authentication systems for registrants, but still want to streamline the checkout process by allowing users to login, you should use the Arlo Customer Portal
Having SSO enabled on your checkout allows your registrants to login using the same credentials they may use for other SAML based authentication systems you provide them access to, such as custom login portals or LMS's.
When registrants log in, all of their user data can be automatically populated into your checkout fields, streamlining the registration process and preventing duplicates from being created in your CRM.
Find out more about why you should SSO with Arlo, see our Single sign-on (SSO) blog post.
If you would like to use SSO, either for your management platform or in the checkout, you will need a technical staff member to connect Arlo to your identity provider. It's not recommended you attempt this unless you have some knowledge of how to configure identity providers.
Once you have connected Arlo to your identity provider successfully you will be able to enable and configure SSO settings.
If an existing contact has an Arlo role and username/password set already (e.g. an administrator or presenter) they won't be able to login to the Arlo checkout with their identity provider account details until you change their identity provider setting. It's recommended you do this for all existing Arlo contacts with accounts when enabling SSO.
- If you are using a custom Management IDP, SSO will be enabled on the Arlo login page when it detects an email domain that matches the domain in your Identity provider email hints setting (this is configured when you connect your identity provider).
- The option to login using SSO will be presented to the user.
- If you would like administrators to bypass the Arlo login screen completely and go straight to your identity provider, from the SAML Management settings, select Replace login page with Identity providers's login page.
- Press Save.
- If you would like users to have to log in using your registration provider before registering for a course, from the SAML Registration settings, select Registration IDP enabled.
- Select if you would like to enable guest registrations. If you do not select this option, users must have an account with your identity provider in order to register for a course.
- From the dropdown, select the custom Registration IDP you would like to use.
- If you would like registrants to bypass the login screen if they are already authenticated, select Automatically redirect and bypass login screen.
- Select if logged in users should be able to register guests, or just themselves.
- Press Save.
Important: If you are an Arlo administrator, and plan to register for courses using SSO, you need to update your Arlo username to one that does not match your identity provider username (if it does), or there will be conflict when you try to register.
If an existing contact has an Arlo role and username/password set already (e.g. an administrator or presenter) they won't be able to login to the Arlo checkout with their identity provider account details until you change their identity provider settings inside of Arlo. It's recommended you do this for all existing Arlo contacts with accounts when enabling SSO.
- Open the Contact in Arlo
- Press Edit and select Security
- Change the Identity provider from Arlo default to your own identity provider.
- Press Save and Close. The contact will now be able to login to your checkout using their identity provider login credentials.