By default, ScreenSteps allows you to manage viewing privileges to your content by creating users and viewing groups in your ScreenSteps account.
Single Sign-on allows you to incorporate a 3rd party user management system with your ScreenSteps account so that you do not have to manage users in two separate places (or inconvenience your end users by making them remember another login and password).
Select service customer is setting up Single Sign-on with
Which service will you be setting up Single Sign-on with?
Select an option
Do you use My Domain with Salesforce?
Confirm you meet pre-requisites
Before you can deploy a custom Apex class in your production application you will need to create it first in your Salesforce sandbox organization. Before you continue these steps you should already have a sandbox org created.
Create a Salesforce.com login URL
In just a moment you will create a new page in Salesforce.com.
You need to enter the url to that new Salesforce.com page in ScreenSteps; however, since that page doesn't exist yet, we will show you what that page will be called.
Copy your URL
From your Salesforce.com Setup area copy your Salesforce.com domain from the address bar and paste it into a text editor.
Add a login to the URL
Add the following to the end of the copied URL:
apex/sslive_loginIf your Salesforce.com url were https://na3.salesforce.com/ then your new URL would look like this:
https://na3.salesforce.com/apex/sslive_loginSandbox URL or Production URL?
The URL you created is the URL that ScreenSteps will redirect to when a Salesforce user needs to log in to view ScreenSteps.
At this stage, you can either use the Sandbox URL or the Production URL.
Use the Sandbox URL if you want to first test single sign-on in your sandbox org.
Use the Production URL if you DON'T think you need to first test single sign-on in your sandbox org.
Where do you want to create the endpoint?
In ScreenSteps, you can create a Single Sign-on connection at the site level or the account level. Which one would you like to do?
Confirm your site is marked private
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to your site settings in ScreenSteps
- Select the site you want to create an SSO Endpoint for.
- Click Settings
- Click Settings (a different Settings)
Check Private > update
Create a new Endpoint
Configure Single Sign-on
Just below your site settings is Single Sign-on.
- Click Single Sign-on
- Click Configure SSO
Create the Endpoint
- Include a title (like "Salesforce")
- Confirm ScreenSteps Remote Authentication is selected
- Click Create
Create endpoint in ScreenSteps Account
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to the Account's Single Sign-on
- Click Account
- Click Single Sign-on
Create the Endpoint
- Include a title (like "Salesforce")
- Confirm ScreenSteps Remote Authentication is selected
- Click Create
Add Viewer Group to your ScreenSteps site
You will need to add this viewer group to the ScreenSteps site that the users will be viewing.
Click Back to Sites
Confirm site > click Viewers
- Confirm you are in the correct site
- Click Viewers
Click Add Group
Add your Salesforce Group
Now your users will be authenticated to your ScreenSteps site.
Confirm your site is marked private
Navigate to your site settings
Check Private > update
Navigate back to Account Single Sign-on
Configure Endpoint and Copy Token
- Enter the new URL you created in the previous step into the Remote Login URL.
- Copy the remote authentication token to the clipboard (you'll use it later)
- Click Update (3).
Create a New Class in Salesforce
IMPORTANT: This must be done in a sandbox organization and then deployed to production.
Even if you copied the Production URL in the previous step, you must first create a new Apex Class in a sandbox organization.
Navigate to your Salesforce.com Setup Area
Remember that this must be in your sandbox organization.
Navigate to Apex Classes Page
From the menu, expand Develop and click on Apex Classes.
Create a New Class
Click on the New button to create a new class.
If you don't see the New button it is because you are in your production organization, not a sandbox organization.
Paste in the Controller Code
- In the code field, paste the code that appears below the screenshot.
*Make sure to replace the string INSERT_REMOTE_AUTH_TOKEN_HERE in the code with the remote authentication token you copied in the previous lesson.
- After pasting in the code and inserting your token, click the Save button.
<p>public class ScreenStepsLiveRemoteLoginController {
public string md5String {get;set;}
private string ssliveToken = 'INSERT_REMOTE_AUTH_TOKEN_HERE';
public ScreenStepsLiveRemoteLoginController () {
String theUserName = UserInfo.getUserName();
String theEmail = UserInfo.getUserEmail();
String theOrgName = ''; //UserInfo.getOrganizationName(); (not available in apex page)
String theReturnToURL = ApexPages.CurrentPage().getParameters().get('return_to_url');
String theTimeStamp = ApexPages.CurrentPage().getParameters().get('timestamp');
String theStringToHash = UserInfo.getFirstName() + UserInfo.getLastName() +
theEmail + UserInfo.getUserId() + theOrgName + this.ssliveToken + theTimeStamp;
Blob keyblob = Blob.valueof(theStringToHash);
Blob key = Crypto.generateDigest('MD5',keyblob);
md5String = encodingUtil.convertToHex(key);
}
}</p>If you need to include an accompanying test class, use the following APEX code.
<p>@isTest
private class ScreenStepsLiveRemoteLoginControllerTest {
static testmethod void testSSLiveRemoteAuthToken() {
ScreenStepsLiveRemoteLoginController test = new ScreenStepsLiveRemoteLoginController();
System.assert(test.md5String != '');
}
}</p>Create a Visualforce Page
IMPORTANT: This does NOT need to be done in the sandbox org.
If you want to test single sign-on with Salesforce, then you will need to create it in both the sandbox and the production organization.
Navigate to Visualforce Pages Page
Expand the Develop folder and click on Visualforce Pages.
Create New Page
From the Visualforce Pages page, click on New to create a new page.
Paste in Page Markup
- You can assign the Label to whatever you like but the Name field must be sslive_login
- In the markup field, paste the code snippet that appears below.
- Replace {{ScreenSteps Remote Consumer URL}} with the Remote Consumer URL located in ScreenSteps.
- Click the Save button to save your changes.
<page controller="ScreenStepsLiveRemoteLoginController">
<h1>Redirecting to ScreenSteps...</h1>
<script>
var theSSLiveURL = '{{ScreenSteps Remote Consumer URL}}';
var theOrganization = encodeURIComponent('');
theSSLiveURL += '?first_name=' + '{!JSENCODE(URLENCODE($User.FirstName))}';
theSSLiveURL += '&last_name=' + '{!JSENCODE(URLENCODE($User.LastName))}' + '&email=' + '{!JSENCODE(URLENCODE($User.Email))}';
theSSLiveURL += '&external_id=' + '{!JSENCODE(URLENCODE($User.Id))}' + '&organization=' + theOrganization;
theSSLiveURL += '×tamp={!JSENCODE(URLENCODE($CurrentPage.parameters.timestamp))}' + '&hash={!JSENCODE(URLENCODE(md5String))}';
theSSLiveURL += '&return_to_url=' + '{!JSENCODE(URLENCODE($CurrentPage.parameters.return_to_url))}';
theSSLiveURL += '&redirect_uri=' + '{!JSENCODE(URLENCODE($CurrentPage.parameters.redirect_uri))}';
theSSLiveURL += '&response_type=' + '{!JSENCODE(URLENCODE($CurrentPage.parameters.response_type))}';
theSSLiveURL += '&client_id=' + '{!JSENCODE(URLENCODE($CurrentPage.parameters.client_id))}';
window.location = theSSLiveURL;
</script>
</page>Set permissions for the Visualforce Page
Now that you have created the Visualforce page you need to make sure that your Salesforce users have permission to access it.
Edit Page Permissions
From the list of pages, click on the Security link next to the sslive_login page.
Add Profiles
Add any necessary profiles to the list of Enabled Profiles. Any user with a matching profile will be able to access the login page. If the user does not belong to a profile listed under Enabled Profiles then they will be presented with an error stating that they don't have permission to view the page.
Remember that if you are doing this in a sandbox org you will also need to update permissions in your production org.
Test the connection
Get your remote authentication test URL from ScreenSteps
Copy the Remote Test URL from ScreenSteps.
Open a different browser
You need to make sure you test this when you are NOT logged into ScreenSteps.
Open up a new browser (e.g. Edge, Firefox, Safari, Chrome) that isn't logged into ScreenSteps.
Paste the Test URL into your browser and hit return
You should be directed to the Salesforce.com login screen.
The Login Page
After successfully logging in to Salesforce.com you will see the page you created earlier for a brief moment. It will say "Redirecting to ScreenSteps Live...".
Success!
You should now be logged into ScreenSteps.
Deploy code to production and update URL in ScreenSteps
Deploy your code to production
Refer to your Salesforce documentation for how to deploy your Apex class to production.
Enter URL Into ScreenSteps Admin Area
You need to use the domain for your production organization in Salesforce. Go back to the Single Sign-On area in ScreenSteps and update the Remote Login URL.
If your production Salesforce.com url were https://na3.salesforce.com/ then you would add this to the end:
apex/sslive_loginThe URL you include in the Remote Login URL field would then look like this:
https://na3.salesforce.com/apex/sslive_loginSelect an option
Do you have a self-signed certificate?
Generate a self-signed certificate on Salesforce.com
Select Security Controls > Certificate and Key Management
I'll walk you through the steps of setting up a self-signed certificate.
Create Certificate
Enter a label and unique name and select Save.
Enable Salesforce as an Identity Provider
Next we'll set up Salesforce as an identity provider.
Select Setup
Select Security Controls > Identity Provider
Enable Identity Provider
You may be presented with this screen. If you are, click the Enable Identity Provider button.
Select your self-signed certificate
Then select your self-signed certificate (1) and click Save (2).
Download Metadata
You should now see this screen. Click on Download Metadata. You will use this file later on you download to configure your settings in ScreenSteps.
Where do you want to create the endpoint?
In ScreenSteps, you can create a Single Sign-on connection at the site level or the account level. Which one would you like to do?
Confirm your site is marked private
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to your site settings in ScreenSteps
- Select the site you want to create an SSO Endpoint for.
- Click Settings
- Click Settings (a different Settings)
Check Private > update
Create a new Endpoint
Configure Single Sign-on
Just below your site settings is Single Sign-on.
- Click Single Sign-on
- Click Configure SSO
Create the Endpoint
- Include a title (like "Salesforce")
- Confirm SAML is selected
- Click Create
Create endpoint in ScreenSteps Account
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to the Account's Single Sign-on
- Click Account
- Click Single Sign-on
Create the Endpoint
- Include a title (like "Salesforce")
- Confirm SAML is selected
- Click Create
Add Viewer Group to your ScreenSteps site
You will need to add this viewer group to the ScreenSteps site that the users will be viewing.
Click Back to Sites
Confirm site > click Viewers
- Confirm you are in the correct site
- Click Viewers
Click Add Group
Add your Salesforce Group
Now your users will be authenticated to your ScreenSteps site.
Confirm your site is marked private
Navigate to your site settings
Check Private > update
Navigate back to Account Single Sign-on
Upload Metadata
Click on the Upload new Salesforce Configuration file button and select the metadata file you downloaded previously. This file will populate the SAML certificate and the remote login url.
Copy the SAML Consumer URL and Note Entity ID
You will need to use this URL and the Entity ID later on as you finish configuring the Salesforce App.
Copy the SAML Consumer URL to the clipboard.
Note the Entity ID
Create a Connected App
Select Setup
Open App Manager
Create New Connected App
Click the New Connected App button.
Enter Basic Information
Enter Basic Information
Just enter the required information. It doesn't really matter what you enter here.
Enter Web App Settings and Save
Scroll down to Web App Settings and do the following:
- Check Enable SAML
- Enter the Entity Id for your ScreenSteps SSO endpoint.
- Enter the ACS URL from ScreenSteps here. This is the SAML Consumer URL from the Single Sign-on Endpoint you created in ScreenSteps.
- Set Subject Type to Username
- Set Name ID Format to
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent - Select Save.
What you should see
You should now see this screen.
Assign User Profiles to your Connected App in Salesforce
Select Setup
Select Manage Connected Apps
Select your ScreenSteps Connected App
Select Manage Profiles
Scroll down ot the Profiles section and select Manage Profiles.
Select Profiles and Save
Select all of the profiles that you want to allow to login to ScreenSteps via single sign-on.
You should have single sign-on configured now.
Test the connection
Switch back to the ScreenSteps window and copy the SAML Test URL. Paste the URL into a new browser window to test your Salesforce SAML integration.
This is NOT the URL that you will share with end users. This is just a test to make sure that you are directed to the Salesforce login page.
Did the test work?
When you pasted that URL into a new browser window, did it direct you to a Google login page?
Double check your work
Go through the process again and double check that you entered all of the correct information into ScreenSteps and into Salesforce.
If that doesn't work, contact ScreenSteps support at [email protected]
Activate the Endpoint in ScreenSteps
Activate endpoint
Navigate to the Single Sign-on area in ScreenSteps:
- Click the Activate checkbox.
- Click Update
Share ScreenSteps URL with users
Click Go To Site button
Navigate to the site that is connected to the Single Sign-on you just set up. Click on the Go To Site button.
Share this URL
This is the end-user URL of your knowledge base. Share this URL with viewers.
Add a service/App to your domain
Navigate to your Google Apps Admin console.
1. Click Apps in your Google Admin console
2. Click SAML apps
3. Click "Add a service/App to your domain"
Set up your own custom app
1. Click "Setup My Own Custom App"
2. Copy URL and Download Certificate
From the Google IdP Information screen do the following:
- Copy the SSO URL to the clipboard.
- Click the Download button next to Certificate to download a PEM file. You will upload this file to ScreenSteps in just moment.
Make sure to keep the Google Apps window open. You will come back to this after you do some tasks in ScreenSteps.
Where do you want to create the endpoint?
In ScreenSteps, you can create a Single Sign-on connection at the site level or the account level. Which one would you like to do?
Confirm your site is marked private
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to your site settings in ScreenSteps
- Select the site you want to create an SSO Endpoint for.
- Click Settings
- Click Settings (a different Settings)
Check Private > update
Create a new Endpoint
Configure Single Sign-on
Just below your site settings is Single Sign-on.
- Click Single Sign-on
- Click Configure SSO
Create the Endpoint
- Include a title (like "Google")
- Confirm SAML is selected
- Click Create
Create endpoint in ScreenSteps Account
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to the Account's Single Sign-on
- Click Account
- Click Single Sign-on
Create the Endpoint
- Include a title (like "Google")
- Confirm SAML is selected
- Click Create
Add Viewer Group to your ScreenSteps site
You will need to add this viewer group to the ScreenSteps site that the users will be viewing.
Click Back to Sites
Confirm site > click Viewers
- Confirm you are in the correct site
- Click Viewers
Click Add Group
Add your Google Group
Now your users will be authenticated to your ScreenSteps site.
Confirm your site is marked private
Navigate to your site settings
Check Private > update
Navigate back to Account Single Sign-on
Include Configuration Settings from Google
Configure the Remote Login URL
- Paste the URL that you copied from the Google IdP Information browser window.
- Click Update.
Upload the SAML Certificate
Upload the SAML file that you downloaded previously in Google Apps.
- Click the Upload new SAML Certificate file button. You will be prompted to select a file. Select the .pem file you downloaded from Google. The file should start with GoogleIDPCertificate-.
Copy the SAML Consumer URL and Note Entity ID
You will need to use this URL and the Entity ID later on as you finish configuring the Google App.
Copy the SAML Consumer URL to the clipboard.
Note the Entity ID
Enter Application Name
Navigate back to Google and click Next
Return to the Google browser window and click the Next button.
Enter ScreenSteps as the Application Name then click "Next"
- Confirm Application Name says ScreenSteps
- Click Next
Enter Service Provider Details
In the Service Provider Details screen do the following:
- Paste the SAML Consumer URL you copied from the ScreenSteps Single Sign-on window into the ACS URL field.
- Enter the Entity ID for your ScreenSteps SSO endpoint.
- Set the Name ID to Basic information and Primary Email.
- Set the Name ID Format to EMAIL.
- Click Next.
Finish Setting up SSO in Google
Click Finish
You do not need to add any mappings. Click Finish.
Click OK
Turn SAML app on in Google
Turn ScreenSteps SAML app on
Before you can test the SAML integration you will need to turn it on in Google Apps. From the settings page click on the menu to turn it on.
Test the connection
Switch back to the ScreenSteps window and copy the SAML Test URL. Paste the URL into a new browser window to test your Google SAML integration.
This is NOT the URL that you will share with end users. This is just a test to make sure that you are directed to the Google login page.
Did the test work?
When you pasted that URL into a new browser window, did it direct you to a Google login page?
Double check your work
Go through the process again and double check that you entered all of the correct information into ScreenSteps and into Google.
If that doesn't work, contact ScreenSteps support at [email protected]
Activate the Endpoint in ScreenSteps
Activate endpoint
Navigate to the Single Sign-on area in ScreenSteps:
- Click the Activate checkbox.
- Click Update
Share ScreenSteps URL with users
Click Go To Site button
Navigate to the site that is connected to the Single Sign-on you just set up. Click on the Go To Site button.
Share this URL
This is the end-user URL of your knowledge base. Share this URL with viewers.
Where do you want to create the endpoint?
In ScreenSteps, you can create a Single Sign-on connection at the site level or the account level. Which one would you like to do?
Confirm your site is marked private
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to your site settings in ScreenSteps
- Select the site you want to create an SSO Endpoint for.
- Click Settings
- Click Settings (a different Settings)
Check Private > update
Create a new Endpoint
Configure Single Sign-on
Just below your site settings is Single Sign-on.
- Click Single Sign-on
- Click Configure SSO
Create the Endpoint
- Include a title (like "Google")
- Confirm SAML is selected
- Click Create
Create endpoint in ScreenSteps Account
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to the Account's Single Sign-on
- Click Account
- Click Single Sign-on
Create the Endpoint
- Include a title (like "Google")
- Confirm SAML is selected
- Click Create
Add Viewer Group to your ScreenSteps site
You will need to add this viewer group to the ScreenSteps site that the users will be viewing.
Click Back to Sites
Confirm site > click Viewers
- Confirm you are in the correct site
- Click Viewers
Click Add Group
Add your Google Group
Now your users will be authenticated to your ScreenSteps site.
Confirm your site is marked private
Navigate to your site settings
Check Private > update
Navigate back to Account Single Sign-on
Determine role for new users
When users login to ScreenSteps for the first time using Single Sign-on, ScreenSteps will assign them to one of two roles: Reader or Learner.
- Select the role you want viewers to be assigned
- Click Update
Copy the SAML Consumer URL
You will use this URL when you set up Azure AD.
Follow Microsoft's Configuration Instructions
Microsoft has created a ScreenSteps Azure Active Directory integration. Click the link below to continue configuring Azure.
Microsoft Tutorial: Azure Active Directory integration with ScreenSteps
Make sure you complete the above tutorial before continuing on to the next step.
Test the connection
Copy the SAML Test URL. Paste the URL into a new browser window to test your Azure AD integration.
This is NOT the URL that you will share with end users. This is just a test to make sure that you are directed to the Azure AD login page.
Did the test work?
When you pasted that URL into a new browser window, did it direct you to a Google login page?
Double check your work
Go through the process again and double check that you entered all of the correct information into ScreenSteps and into the Azure portal.
If that doesn't work, contact ScreenSteps support at [email protected]
Activate the Endpoint in ScreenSteps
Activate endpoint
Navigate to the Single Sign-on area in ScreenSteps:
- Click the Activate checkbox.
- Click Update
Share ScreenSteps URL with users
Click Go To Site button
Navigate to the site that is connected to the Single Sign-on you just set up. Click on the Go To Site button.
Share this URL
This is the end-user URL of your knowledge base. Share this URL with viewers.
Confirm System Requirements
*These instructions were reproduced from this Phenix support page: https://support.phenixid.se/sbs/screensteps/
Make sure you have the following
- PhenixID Authentication Server 2.0 or higher
- ScreenSteps installed
- ScreenSteps administration rights
Setup PhenixID Authentication Services
- Setup PhenixID Authentication Services as a SAML IdP using one of the Federation scenarios described here. (If the desired authentication method is not provided by a scenario, use the documentation for the SAML authenticatorhere)
- Fetch the mail attribute for the user.
- Use mail as Name ID attribute.
- Go to Scenarios->Federation-> <newly_added_scenario> -> Identity Provider. Deselect Require signed requests. Save.
- Then export your SAML IdP metadata by going to the URL:
- https://<YourServerDomainName>/saml/authenticate/<authenticator_alias>?getIDPMeta
- and download the metadata to a xml file.
- Save the IDP Signing Certificate as a file (follow this instruction)
- Fetch the SingleSignOnService -> Location value.
- Fetch the SingleLogoutService -> Location value. [Optional]
Where do you want to create the endpoint?
In ScreenSteps, you can create a Single Sign-on connection at the site level or the account level. Which one would you like to do?
Confirm your site is marked private
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to your site settings in ScreenSteps
- Select the site you want to create an SSO Endpoint for.
- Click Settings
- Click Settings (a different Settings)
Check Private > update
Create a new Endpoint
Configure Single Sign-on
Just below your site settings is Single Sign-on.
- Click Single Sign-on
- Click Configure SSO
Create the Endpoint
- Include a title (like "PhenixID")
- Confirm SAML is selected
- Click Create
Create endpoint in ScreenSteps Account
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to the Account's Single Sign-on
- Click Account
- Click Single Sign-on
Create the Endpoint
- Include a title (like "Google")
- Confirm SAML is selected
- Click Create
Add Viewer Group to your ScreenSteps site
You will need to add this viewer group to the ScreenSteps site that the users will be viewing.
Click Back to Sites
Confirm site > click Viewers
- Confirm you are in the correct site
- Click Viewers
Click Add Group
Add your Google Group
Now your users will be authenticated to your ScreenSteps site.
Confirm your site is marked private
Navigate to your site settings
Check Private > update
Navigate back to Account Single Sign-on
Include Configuration Settings from PhenixID
- Paste the Login URL from PhenixID (SingleSignOnService -> Location value)
- Paste the Logout URL from PhenixID (SingleLogoutService -> Location value) - this is optional.
- Click Update
Upload the SAML Certificate file
- Upload the IDP Signing Certificate that you downloaded from PhenixID.
Add trust to ScreenSteps on PhenixID Authentication Services
- Login to configuration manager
- Open Scenarios->Federation->SAML Metadata upload
- Click the plus sign
- Add screensteps SAML SP Metadata by uploading the screensteps saml sp metadata file.
Test the connection
Navigate back to your ScreenSteps Single Sign-on area.
Copy the SAML Test URL. Paste the URL into a new browser window to test your PhenixID integration.
This is NOT the URL that you will share with end users. This is just a test to make sure that you are directed to the PhenixID login page.
Did the test work?
When you pasted that URL into a new browser window, did it direct you to a PhenixID login page?
Double check your work
Go through the process again and double check that you entered all of the correct information into ScreenSteps and into the PhenixID portal.
If that doesn't work, contact ScreenSteps support at [email protected]
Activate the Endpoint in ScreenSteps
Activate endpoint
Navigate to the Single Sign-on area in ScreenSteps:
- Click the Activate checkbox.
- Click Update
Share ScreenSteps URL with users
Click Go To Site button
Navigate to the site that is connected to the Single Sign-on you just set up. Click on the Go To Site button.
Share this URL
This is the end-user URL of your knowledge base. Share this URL with viewers.
Summary of what these instructions include
You will now go through general instructions for creating a Single Sign-on (SSO) endpoint that uses SAML. If you intend on using SSO with other services (such as Salesforce, Google Apps, Azure Active Directory, or PhenixID) and plan on using SAML with those services, then select the instructions above for that specific service.
Otherwise, continue going through these instructions.
Where do you want to create the endpoint?
In ScreenSteps, you can create a Single Sign-on connection at the site level or the account level. Which one would you like to do?
Confirm your site is marked private
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to your site settings in ScreenSteps
- Select the site you want to create an SSO Endpoint for.
- Click Settings
- Click Settings (a different Settings)
Check Private > update
Create a new Endpoint
Configure Single Sign-on
Just below your site settings is Single Sign-on.
- Click Single Sign-on
- Click Configure SSO
Create the Endpoint
- Include a title (like "SAML SSO")
- Confirm SAML is selected
- Click Create
Create endpoint in ScreenSteps Account
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to the Account's Single Sign-on
- Click Account
- Click Single Sign-on
Create the Endpoint
- Include a title (like "SAML SSO")
- Confirm SAML is selected
- Click Create
Add Viewer Group to your ScreenSteps site
You will need to add this viewer group to the ScreenSteps site that the users will be viewing.
Click Back to Sites
Confirm site > click Viewers
- Confirm you are in the correct site
- Click Viewers
Click Add Group
Add your Salesforce Group
Now your users will be authenticated to your ScreenSteps site.
Confirm your site is marked private
Navigate to your site settings
Check Private > update
Navigate back to Account Single Sign-on
Configure the endpoint
- X.509 certificate - You need to get this certificate file from your SAML provider and upload it to ScreenSteps. It must be in PEM format.
- SAML Consumer URL - Use this URL with your SSO provider.
- SAML Test URL - Use this URL to test that your SAML settings work (after you save them and configure your identity provider).
- Once you have entered all of your settings, select Update.
Does your identity provider need you to enter metadata for ScreenSteps?
Metadata for your identity provider
If your identity provider needs you to enter metadata for ScreenSteps, use the SAML Consumer URL.
For the Entity ID use the Entity ID assigned to your ScreenSteps SSO endpoint.
Here is the XML Metadata for ScreenSteps. Be sure to replace {{replace with your ScreenSteps SAML Consumer URL }} with your SAML Consumer URL:
<entitydescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityid="ScreenSteps-Live">
<spssodescriptor protocolsupportenumeration="urn:oasis:names:tc:SAML:2.0:protocol" authnrequestssigned="false" wantassertionssigned="false">
<nameidformat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</nameidformat>
<assertionconsumerservice binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" location="{{replace with your ScreenSteps SAML Consumer URL }}" isdefault="true" index="0"></assertionconsumerservice>
</spssodescriptor>
</entitydescriptor>SAML Response Requirements
Security Certificate
The response must have a certificate that matches the certificate that you upload to ScreenSteps. The path should be:
ds:X509CertificateScreenSteps will compute a fingerprint from this certificate and compare it to the fingerprint of the certificate you have uploaded to ScreenSteps.
Identifying users
You need to pass in the email address of the user you want to authenticate. When you do this, ScreenSteps will do one of two things:
1. If a user with that email already exists in the system, ScreenSteps will match the email in the SAML response to that user.
2. If a user with that email does not exist, the user will be created as a "reader" or "learner" user in ScreenSteps depending on the "Assign the following role to new user" SSO endpoint setting. You can go back later and adjust the role of SAML users after they have logged in.
How we find the email address
ScreenSteps will check three values for the user email address:
- We will check the AttributeStatement for an 'email' value.
- We will check the AttributeStatement for a 'mail' value.
- We will change the Subject/NameID
Below is an example SAML response with the NameID set to [email protected]:
<samlp:Response xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol' ID='GOSAMLR12901174571794' Destination='{recipient}' IssueInstant='2010-11-18T21:57:37Z'>
<samlp:Status>
<samlp:StatusCode Value='urn:oasis:names:tc:SAML:2.0:status:Success'/></samlp:Status>
<saml:Assertion Version='2.0' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' ID='pfxa46574df-b3b0-a06a-23c8-636413198772' xmlns:xs='http://www.w3.org/2001/XMLSchema' IssueInstant='2010-11-18T21:57:37Z'>
<saml:Issuer>https://app.onelogin.com/saml/metadata/13590</saml:Issuer>
<ds:Signature xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
<ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
<ds:Reference URI='#pfxa46574df-b3b0-a06a-23c8-636413198772'>
<ds:Transforms>
<ds:Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
<ds:Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
</ds:Transforms>
<ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
<ds:DigestValue>pJQ7MS/ek4KRRWGmv/H43ReHYMs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>yiveKcPdDpuDNj6shrQ3ABwr/cA3CryD2phG/xLZszKWxU5/mlaKt8ewbZOdKKvtOs2pHBy5Dua3k94AF+zxGyel5gOowmoyXJr+AOr+kPO0vli1V8o3hPPUZwRgSX6Q9pS1CqQghKiEasRyylqqJUaPYzmOzOE8/XlMkwiWmO0=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMDMwOTA5NTg0NVoXDTE1MDMwOTA5NTg0NVowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAXBgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOjSu1fjPy8d5w4QyL1+zd4hIw1Mkkff4WY/TLG8OZkU5YTSWmmHPD5kvYH5uoXS/6qQ81qXpR2wV8CTowZJULg09ddRdRn8Qsqj1FyOC5slE3y2bZ2oFua72of/49fpujnFT6KnQ61CBMqlDoTQqOT62vGJ8nP6MZWvA6sxqud5AgMBAAEwAwYBAAMBAA==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'>[email protected]</saml:NameID>
<saml:SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'>
<saml:SubjectConfirmationData NotOnOrAfter='2010-11-18T22:02:37Z' Recipient='{recipient}'/></saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotOnOrAfter='2010-11-18T22:02:37Z' NotBefore='2010-11-18T21:52:37Z'>
<saml:AudienceRestriction>
<saml:Audience>{audience}</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement SessionIndex='_531c32d283bdff7e04e487bcdbc4dd8d' AuthnInstant='2010-11-18T21:57:37Z' SessionNotOnOrAfter='2010-11-19T21:57:37Z'>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name='uid'>
<saml:AttributeValue xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:xs='http://www.w3.org/2001/XMLSchema' xsi:type='xs:string'>demo</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name='another_value'>
<saml:AttributeValue xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:xs='http://www.w3.org/2001/XMLSchema' xsi:type='xs:string'>value</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>Activate endpoint
Once you have finished testing your endpoint click the Activate checkbox.
Confirm you meet requirements
In order to set up Remote Authentication you will need someone who is familiar with writing code on a web server. They must be able to complete the steps in our Setting Up Your Application to Use ScreenSteps Remote Authentication (Not SAML) article.
Once you have someone who is capable of implementing the necessary code you can proceed with setting up Remote Authentication.
Where do you want to create the endpoint in ScreenSteps?
In ScreenSteps, you can create a Single Sign-on connection at the site level or the account level. Which one would you like to do?
Confirm your site is marked private
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to your site settings in ScreenSteps
- Select the site you want to create an SSO Endpoint for.
- Click Settings
- Click Settings (a different Settings)
Check Private > update
Create a new Endpoint
Configure Single Sign-on
Just below your site settings is Single Sign-on.
- Click Single Sign-on
- Click Configure SSO
Create the Endpoint
- Include a title (like "Remote Auth")
- Confirm ScreenSteps Remote Authentication is selected
- Click Create
Create endpoint in ScreenSteps Account
Open a new browser window and navigate to your ScreenSteps Admin area. You will need to refer to both the ScreenSteps and Google windows.
Navigate to the Account's Single Sign-on
- Click Account
- Click Single Sign-on
Create the Endpoint
- Include a title (like "Remote Auth")
- Confirm ScreenSteps Remote Authentication is selected
- Click Create
Add Viewer Group to your ScreenSteps site
You will need to add this viewer group to the ScreenSteps site that the users will be viewing.
Click Back to Sites
Confirm site > click Viewers
- Confirm you are in the correct site
- Click Viewers
Click Add Group
Add your Viewer Group
Now your users will be authenticated to your ScreenSteps site.
Confirm your site is marked private
Navigate to your site settings
Check Private > update
Navigate back to Account Single Sign-on
Enter Single Sign-on Settings
- Make sure you have set your mode to ScreenSteps Remote Auth.
- You must at least enter a Remote login url. This is the url that users will be redirected to login to your account. You will need to work with a software developer in order to figure out which URL to use.
- The Log out url is optional. This a url that users will be taken to once they log out of the ScreenSteps account.
- Once you are done, select Update.
Provide Remote Authentication Token and Remote Consumer URL to the developer
Now that you have created the Single Sign-on endpoint you have the Remote Authentication Token and Remote Consumer URL that the developer will need in order to implement Remote Authentication on the 3rd party server. Provide this information to the developer so that they can finish setting up the Remote Login URL. The developer will follow the instructions in the Setting Up Your Application to Use ScreenSteps Remote Authentication (Not SAML) article.
Test Remote Authentication
Copy Remote Auth Test URL
If you want to test your remote authentication settings you can copy and paste this Remote Test URL into your browser.
Activate Endpoint
Once you have finished testing your endpoint click the Activate checkbox.
