SAML-based single sign-on (SSO) gives your members access to Assembly through the identity provider (IdP) of your choice. When enabled, members will sign in directly through your identity provider using SSO.
Only Admins can set up, edit, and disconnect SAML authentication and single sign-on. This admin must also have access to the identity provider’s (IdP) settings. The email address in the IdP as well as in Assembly for the admin and any member who joins must match.
To get started, you’ll need to set up a SAML connection (or connector) for Assembly with your IdP.
*If you have guest accounts (manually-invited members), we recommend choosing the option where SSO is either 1) Required, except for manually-invited members; or 2) Optionally-required, so manually-invited members can still sign in using their email address and password. For more information about manually-invited members, check out this help article.
Configure the Assembly app to appear in your IdP dashboard
(NOTE: please ensure the NameID in your IdP is matched to the email address in Assembly; and make sure to call it Email)
When turned on, this setting will allow anyone with access to Assembly in your IdP to create an Assembly account directly from your IdP by clicking on the Assembly card in your IdP dashboard. If the user already has an invitation in the pending, queued, or requested state, we will automatically create their Assembly account and they will no longer have a pending/queued/requested invitation.
When turned off, if a user clicks Assembly directly from your IdP they can request access to your Assembly account (their request will show up in the Requests tab in https://my.joinassembly.com/admin/users/invite).
Once you’ve set up SAML authentication, any members already signed in when SSO is enabled will remain signed in. All required members will receive an email prompting them to authenticate with SAML, except when SAML is optional for your Assembly.
Going forward, all members will sign in to Assembly with their IdP account. If you chose to require SSO, your members will see a sign-in page before they can access your Assembly.
If you would like to discontinue using SAML authentication for your Assembly account, you can disable it at any time.
Once you’ve set up SAML authentication, any members already signed in when SAML is disabled will remain signed in. Disabling SAML authentication will no longer require or give members the option to authenticate with your SAML platform. Disabling will clear your SAML settings and you will need to re-enter all of the information to set SAML authentication up again.
Members of your Assembly will be prompted via email to either authenticate with an SSO, log in with email and password, or create/reset their password if they do not have one.