Skip to main content
Experience

Intellum offers a number of authentication options for your audiences. You can choose from simple login configurations or work with Intellum to set up a Single Sign-On (SSO) configuration for a seamless user experience between your organization's internal sites and the Intellum platform.

This article gives an overview of the platform's authentication options, including requirements for set up where applicable.


Things to note:

  • Some login and SSO options must be enabled by your Customer Success Manager (CSM) or an Intellum representative.
  • SSO options may require additional credentials or metadata files. Your CSM or an Intellum representative will request this info for set up.
  • Login options and SSO are set up and enabled at the account level, but can be customized for each Organization in your account.

What is Single Sign-On?


Single sign-on can mean letting a user login to, or register for, an account in the Intellum platform by authenticating with an existing user account - like a Facebook or Google account.

Single sign-on can also refer to a set up that allows user accounts/account credentials to be passed from a specific internal application to the Intellum platform for a seamless login experience.

Simple Login Configurations


Password Login

Password login uses a simple username and password for login. This is the default login configuration for Intellum accounts.

Requirements:

No set up is required. Login and password are managed through User properties. Enable self-registration for an Organization to let new users sign up for an account.


Facebook Login

Facebook login allows users to authenticate through a Facebook account. You can also choose to open Facebook registration to new users - giving them the option to create an account by authorizing with Facebook.

Requirements:

Contact your Customer Success Manager and request that Facebook authentication be enabled on your account. The Facebook option will not be reflected at the Organization level until it is enabled on your account.

Follow these steps to add Facebook authentication to an Organization:

  1. Navigate to account Settings in the expanded admin panel.
  2. Select the Organizations drop-down tab and choose an organization.
  3. Select the Registration & Login tab for the Organization.
  4. Enable Facebook for the Authentication Options property.

User Attributes:

It is not currently possible to customize the attribute mapping from Facebook.

First name, last name, locale, time zone, email, and avatar are all attempted to be set. If the Facebook user data has work information, the employer string will be put into the user's custom_t field. A Facebook "ASID" is also used as the user's facebook_id.


Google Login

Google login allows users to authenticate through a Google account. You can also choose to open Google registration to new users - giving them the ability to create a new account by authorizing with Google.

Requirements:

Contact your Customer Success Manager and request that Google authentication be enabled on your account. The Google option will not be reflected at the Organization level until it is enabled on your account.

Follow these steps to add Google authentication to an Organization:

  1. Navigate to account Settings in the expanded admin panel.
  2. Select the Organizations drop-down tab and choose an organization.
  3. Select the Registration & Login tab for the Organization.
  4. Enable Google for the Authentication Options property.

User Attributes:

It is not currently possible to customize the user attribute mapping from Google.

The Intellum login, uid, and code fields are all set to the Google UID.
We set first name, last name, email, and an avatar URL, as well as locale if provided.


Twitter Login

Twitter login allows users to authenticate through a Twitter account. You can also choose to open Twitter registration to new users - giving them the ability to create a new account by authorizing through Twitter.

Requirements:

Contact your Customer Success Manager and request that Twitter authentication be enabled on your account. The Twitter option will not be reflected at the Organization level until it is enabled on your account.

Follow these steps to add Twitter authentication to an Organization:

  1. Navigate to account Settings in the expanded admin panel.
  2. Select the Organizations drop-down tab and choose an organization.
  3. Select the Registration & Login tab for the Organization.
  4. Enable Twitter for the Authentication Options property.

User Attributes:

It is not currently possible to customize the user attribute mapping from Twitter.

The Intellum login, uid, and code fields are all set to the Twitter UID.
We set first name, last name, email, and an avatar URL.

Single Sign-On Configurations


OAuth 2.0

OAuth 2.0 is a generic authorization framework that works by delegating user authentication to the service that hosts the user account; allowing a third-party application, like Intellum, to grant the user access to an account.

Requirements:

To use OAuth 2.0 for single sign-on, you'll need your OAuth 2.0 details. Contact your Customer Success Manager for more information.

Intellum requires a fairly standard set of fields:

  • client ID

  • client secret

  • scope

  • matching user attribute - and if lookups are case-insensitive

  • authorize URL

  • token URL

  • user API URL

User Attributes:

User attribute mapping can be optionally enabled, and is customizable using data sent from the OAuth provider.


OpenID Connect

OpenID Connect is a standard for single sign-on and identity provisioning. OpenID Connect uses OAuth 2.0 to deliver JSON-based identity tokens to web, browser-based, and mobile applications.

Requirements:

Contact your Customer Success Manager for more information on using this SSO configuration.

Intellum requires a fairly standard set of fields:

  • client ID

  • client secret

  • scope

  • matching user attribute - and if lookups are case-insensitive

  • authorize URL

  • token URL

  • host

  • issuer

  • JWK signing keys

  • response type (id_token and code are supported)

User Attributes:

User attribute mapping from OpenID Connect for new users can be optionally enabled, and is customizable using data sent from the SSO provider.


SAML 2.0

SAML is an XML standard for exchanging authentication and authorization data between security domains.

Requirements:

If you would like to use SAML as an SSO configuration, you will need to trade metadata with Intellum. Here's an overview of the set up process:

  1. Provide your metadata.xml file to Intellum.
  2. Confirm a matching user attribute with Intellum. Confirm if case-sensitivity is required (Intellum forces some fields to all-lowercase, so case-insensitive is more compatible)
  3. Intellum will apply the appropriate settings to your site and enable SSO authentication for your site.
  4. Attempt logging in with a user account that is known to exist as an account within your system as well as in your Intellum account.
  5. Once confirmed, all users created in your Intellum account - with the matching user attribute - will be able to login via SSO.

Your Customer Success Manager will work with you to coordinate set up.

User Attributes:

User attribute mapping from SAML can be optionally enabled, and is extensively customizable using data sent from the Identity Provider, and can be configured to handle new users and existing users the same or differently in key respects.


LDAP

LDAP (Lightweight Directory Access Protocol) is an open and cross platform protocol used for directory services authentication. If you use a directory service for user authorization, Intellum can authenticate users through LDAP.

Requirements:

To set up LDAP for single sign-on, Intellum connects to your LDAP server. Contact your Customer Success Manager for more information.

Intellum requires a fairly standard list of settings to access the LDAP server:

  • host

  • port

  • encryption method (e.g. simpl_tls)

  • authentication method (e.g. simple)

  • authentication username (not for users, for the LDAP authenticator)

  • authentication password

  • user base container

  • user filter

User Attributes:

Not possible to map attributes at this time. User must already exist in the Intellum platform.

Azure AD B2C

Azure Active Directory B2C (Azure AD B2C) is Microsoft's implementation of OpenID Connect for Azure Active Directory (Azure AD).

Requirements:

Contact your Customer Success Manager for more information on using this SSO configuration.

Intellum requires a fairly standard set of fields:

  • client ID

  • client secret

  • matching user attribute - and if lookups are case-insensitive

  • authorize URL

  • token URL

  • host

  • issuer

  • tenant name

  • policy name

  • JWK signing keys

  • response type (id_token and code are supported)

User Attributes:

First name, last name, and email are all set from the authentication data if they are available as first_name last_name and email.

Additional or different user attribute mapping can be optionally enabled, and is customizable using data sent from the SSO provider.

Updating SSO Certificates


Contact your Customer Success Manager or Intellum Support to update your SSO Certificates. This includes Active Directory Federation Services (ADFS) token-signing and token-decrypting certificates. You will need an updated XML file to ensure SSO certificates are updated appropriately.