Leverage SAML 2.0 with your Identity as a Service (IDaaS) provider to enable Single Sign-on (SSO), securely and uniformly managing admin access to your EventHub event management page.
As the service provider, EventHub supports SP-initiated sign-on. IdP-initiated sign-on is not supported.
<tips>SSO is an add-on service; contact your customer success manager for details.
SSO setup takes time; please plan to ensure enough time to complete the setup.</tips>
1. Connecting via IDaaS
The EventHub SAML feature can be configured with any IDaaS provider.
This article provides a general outline of the implementation process, not specific to any IDaaS or Identity Provider (IdP). As the setup may differ from provider to provider, please consult with your own teams to ensure proper setup.
2. How to Set Up SSO with SAML Authentication
Your customer success manager will contact you once the initial backend setup has been completed on your EventHub environment. Then, follow the steps outlined below.
1: IDaaS Settings
To access the SAML parameters from your EventHub environment, navigate to [Settings]>[Members] and click [SAML parameters].
Use the [ACS URL] and [SP Entity ID] for setup with your IDaaS provider.
<tips>If you don't see the [SAML parameters] button, please get in touch with your customer success manager.</tips>
2: Metadata URL
Share the metadata URL from your IDaaS provider with EventHub. If you don't have a metadata URL, send a metadata file instead.
*We recommend sharing a metadata URL as it automatically stays up to date.
3: Logging In with SSO
EventHub will use the provided metadata information to configure your EventHub environment. Once the setup is complete, we will provide you with your designated URL for SSO login. Use the provided URL to access the event management page.
<attention>You cannot log in to the event management page via your IdP. You must log in via the provided SSO-login URL.</attention>
4: EventHub Login Email Address
Upon successfully logging in, the email address linked to your IDaaS will be displayed at the top right of the event management page. Please share this email address with EventHub.
New users who log in via SSO do not initially have admin rights to view or edit events. Share the login email address with EventHub to grant admin rights to the first admin.
<attention>EventHub will grant full admin access to the first SSO-enabled admin. Your existing admin(s) should then grant admin access to additional users. See the following article for further information regarding admin rights: Admin Accounts </attention>
Your SSO setup is now complete! 🎉
*If you are unable to successfully log in via SSO after following the steps outlined above, please confirm the setup with your IdP.
Additional Notes
User IDs and Passwords
- Once the SSO setup is complete, you cannot add admins who can log in via a standard ID and password.
- Admins with accounts created before SSO setup can still log in to the event management page via their ID and password. To control these admins' access, delete their accounts from the [Settings]>[Members] tab and re-add them via your IDaaS. Accounts that can still log in to your EventHub environment are indicated by a ⚠️ mark.
- An admin account is automatically added to each EventHub environment to help quickly and effectively troubleshoot should the need arise. We may request your permission to log in with this account to view your events directly and support. Even if SSO is enabled, this account does not use SSO to log in.
Other
- Your IDaaS provider generates a random EventHub-login email address for each user during the initial SSO setup. While you can change this email address from the EventHub admin side, changes will not be reflected on the IDaaS side.
- The password reset function is unavailable when SSO is enabled.
- The IP address restriction feature may prevent users from connecting to your IDaaS.
- After removing an admin's access via the IDaaS, it may take up to 72 hours for the admin to be unable to access the EventHub event management page.