Liquid error: Unknown operator current_user

Single Sign On (SSO) with Conductor Creator and Intelligence

Conductor provides two methods for our users to access the Conductor platform:

  • Username and password on our sign-in page
  • Single Sign-On (SSO) through a SAML-enabled identity manager

Using SSO lets your Conductor users access the platform using the credentials they use for your organization's internal tech ecosystem. Many large organizations require or prefer SSO credentials to accommodate specific security needs.

For organizations interested in enabling Conductor's SSO sign in option for their account, the guide below provides an overview of the steps involved and the technical specifications for your organization’s IT team to set up the integration.

Who Should Use the Conductor SSO Integration?

For some organizations—especially those managing sensitive user data (such a PII, financial info, etc.)—managing user identity themselves may be preferable to using Conductor’s default user management system (username and password entry on Conductor’s sign-in page).

Using SSO, organizations can maintain control over the users that have access to data in its Conductor account by applying the organizations’ user password security policies.

Overview

Your organization’s IT team can create this integration through the industry-standard SAML 2.0 authentication protocol. Through this protocol, Conductor acts as the “Service Provider” (SP) and your organization hosts the “Identity Provider” (IdP) that the integration uses to authenticate users.

Conductor uses an SP-initiated SSO flow, which lets users be automatically redirected to the IdP. From a technical perspective, this is how the flow proceeds:

  1. A Conductor user with an SSO-enabled profile requests access to Conductor.
  2. Conductor’s SP Federation Server responds to the user’s browser with an HTML form (“AuthRequest”), and submits the form automatically to your organization’s IdP.
  3. How the next steps occur depends on whether the user already has an active session with the IdP:
    • If the user does not have an active session:
      1. Your organization’s system prompts the user for their credentials.
      2. Your IdP submits an HTML form (“AuthResponse”) to the Conductor SP Federation Server.
      3. The user is authenticated, and the system redirects the user’s browser to Conductor.
    • If the user has an active session with the IdP:
      1. Your IdP automatically submits an HTML form (“AuthResponse”) to the Conductor SP Federation Server.
      2. The user is authenticated, and the system redirects the user’s browser to Conductor.

Can I use an IDP-initiated SSO flow?

No, Conductor supports only SP-initiated SSO flows. Accordingly, your organization should not add Conductor to your IDP as a method for your organization's users to access the Conductor platform. Any IDP-initiated flows will not allow access to Conductor.

Integration Process

There are a few steps that are common for all integrations. Depending on your organization’s unique requirements, these steps may differ slightly.

Planning

Before you start, you will want to contact your organization’s IT team (and any other necessary technical stakeholders). They should consider:

  • The SSO flow between Conductor and your organization’s user identity management system described above.
  • The integration and onboarding process described below.
  • The technical details of the SAML SSO integration.
  • Your organization’s security policies (if any).

Resolving any questions around these items will help avoid confusion or unset expectations during the integration process. If you have questions for Conductor, you can contact Support.

Configuration

The SAML SSO integration configuration requires the following actions regarding:

  • Conductor’s SP
  • Your organization’s IdP
  • User access

Send Required Details from the Conductor SP to Your IT Team

Your IT team will need the following information about the Conductor SP:

  • Entity ID
    urn:amazon:cognito:sp:us-east-1_H8Q5YNAV3
  • Subject NameId Format
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • Assertion Consumer Service (ACS) URL
    https://prod-conductor.auth.us-east-1.amazoncognito.com/saml2/idpresponse
  • Certificate
    We can provide a signing certificate if your company requires Conductor to sign SAML requests sent to your identity provider

Send Required Details from your Organization’s IdP to Conductor

Your IT team will need to send the following details about your organization’s IdP to Conductor Support. With this information, Conductor’s Engineering team will add this information to the Conductor platform for the integration to work:

  • Entity ID
  • Metadata XML
    (Either the file itself or a URL where it is hosted. Note that the metadata must be signed)
  • Certificate
    (Optional. This can be derived from the XML metadata)
  • User session inactivity time-out, in minutes
  • SAML Attributes:
    • Email
    • First name
    • Last name

Configure Access to Users

For users to have access to the Conductor platform through your organization’s SSO, they must be provisioned on both your organization’s SSO platform and on the Conductor Platform. After both your IT team and the Conductor team finish configuring the integration with the information described above, be sure to perform both of the following actions:

  • Your IT team must provision Conductor to users in your organization’s SSO management platform.
  • Indicate to your Conductor representative how you want your users to be provisioned in Conductor:
    • When auto-provisioned, any user who signs in to Conductor using your SSO will have a Conductor user profile created for them automatically.
    • When not auto-provisioned, you will need to add users individually before they are able to sign in to the Conductor platform through the SSO integration.

Testing

Test your configuration

Your IT team can begin testing once the initial configuration is complete on both sides of the integration. They can verify that the IdP appropriately handles the AuthRequest message and Conductor engineers will verify that the SP correctly handles the AuthResponse message.

Test with a user 

You can complete testing by adding a test user or editing a live user in the Conductor platform and configuring them to use SSO. To do this, you can follow the directions found in the relevant Conductor Knowledge Base article below:

Confirm that this process works for the test user or a live user by sending them to sign in at:
https://app.conductor.com/login.html

If your configuration works as expected and your user can sign in, you can proceed to Onboarding users.

Troubleshooting Errors

After setting up your SSO integration, if you run into any errors, you can run what is called a "SAML trace" in your browser to provide us with details about what might be going wrong.

The following instructions describe how to do this with an extension in Google Chrome.

  1. Download the SAML Chrome Panel Google Chrome extension. Note that this is a third-party extension that is not affiliated with Conductor.
  2. Confirm you are not already signed into Conductor's platform. You can clear your browser's cookies for a clean session.
  3. Go to Conductor's sign-in page.
  4. Right-click anywhere on the browser page and select Inspect to open Chrome's Developer Tools. Then, in the Developer Tools panel, go the SAML tab at the top. If you don't see it, click the >> icon to reveal hidden tabs.
    SSO SAML troubleshooting.gif
    This is where Chrome will capture SAML sign-in activity.
    SAML Tab in DevTools.png
  5. On the webpage, sign into Conductor using your credentials. The extension will capture SAML requests and responses.
    SSO SAML Reponses and Requests.png
  6. Back in the SAML tab of DevTools, click the Export button to download the SAML requests and responses to a .json file.
    SSO SAML troubleshooting export.png
  7. Send this file to Conductor's Support team using our in-app messaging feature or through email to support@conductor.com.

Onboarding

My Users Are Auto-provisioned in Conductor

If your users are provisioned in your SSO platform and auto-provisioned in Conductor, new users may access Conductor as soon as the SSO integration is complete. Note the following:

  • Auto-provisioned users will have Read-only permissions by default. An Admin user in Conductor will be needed to change those users’ permission level. For details about Conductor’s different user permissions refer to the What Are the Differences Between User Types in Conductor? article.
  • Auto-provisioned users will have access to all of the Conductor platform accounts associated with your organization. You can update the access your auto-provisioned users have after they have their user provisioned.

My Users Are Not Auto-provisioned in Conductor

If your users are provisioned in your SSO platform and not auto-provisioned in Conductor, You can activate SSO access for your organization’s users as follows:

  1. Your Conductor representative will decide who at your organization (this may be you) should be responsible for granting access to the rest of the users on your account. Note that the user or users granted this task must have Admin permissions to add new and manage existing users. For details about Conductor’s different user permissions refer to the What Are the Differences Between User Types in Conductor? article.
  2. Your Conductor representative will enable SSO for the Admin user or users they identify in step 1 above.
  3. The users identified in step 1 and enabled for SSO in step 2 then enable the SSO toggle for all the relevant users in Conductor. To do this, refer to the Edit User Settings article.

Once non-auto-provisioned users in the account becomes SSO-enabled, they receive an email indicating that they are no longer able to sign in with standard credentials and that they must sign in using the SSO authentication instead. All SSO-enabled admin users in the account should continue using the SSO toggle when they add new users to the account. To do so, refer to the Add Users to Conductor article.