There are multiple authentication mechanisms that can be used to sign into the admin interface.
- Sign in with email/username and password
- Sign in with Google
- Sign in with Microsoft
- Sign in with SAML
To enable sign in with SAML, you must have a Cloud linked to a custom domain name.
Configure SAML settings in the Cloud security settings in the tab named SAML SSO.
Screenshot showing the settings for SAML SSO:
Linking a SAML Identity provider (IdP) to TargetR digital Signage (SP)
Google Workspace SAML setup
Find Option to Add custom SAML app
Provide App details such as App name and App icon
Copy the SSO URL, Entity ID and Certificate
And paste into TargetR admin interface SAML SSO section
Now copy the SAML SP SSO URL and SAML SP Entity ID and paste into Google Workspaces
Make sure the Name ID format is EMAIL. The email address of users is how TargetR and the IdP link user accounts.
Add the attributes firstName and lastName. They will be automatically read and combined to form the label for new users.
Finally, for Google Workspaces, remember to enable the SAML app for users.
When complete, users can sign in with the new "Sign in with SAML" button:
Okta SAML setup
Sign in to Okta admin and click Add App
Click create New App
Click SAML 2.0
Provide the App Name and icon (according to your own cloud branding)
Copy the SP SAML information from the TargetR admin interface cloud security tab and paste into Okta
Make sure the Name ID format is EmailAddress. The email address of users is how TargetR and the IdP link user accounts.
You may also add firstName and lastName attributes as shown above. This will initialize the user label for new users when no label has been defined.
Tell Okta this is an internal app
On the next screen, click View SAML setup instructions
Copy the SSO URL, Entity ID (IP Issuer) and Certificate...
...and paste into TargetR admin interface cloud security section
Finally, enable the App for users you have configured inside Okta
You can now sign in from Okta or using the Sign in with SAML button.
Users are mapped using the email address. If a user with matching email address already exists inside TargetR, SAML will sign them in to the existing account.
You must enable the Allow new users to register and sign in option to permit users not already configured in the TargetR admin interface to sign in. With this option enabled, a new user will be automatically created when they first sign in with SAML. You can configure the name attributes (as in examples above) to make setting up new users a little easier.
An additional security constraint has been added to prevent a malicious IdP allowing any user to sign in as another user. Users will only be signed in to the cloud that is assigned to their user account. This restricts a user to being only able to sign in to a single domain name.
A user can still have a password assigned to them for manual account access. This can be important if the IdP is unavailable, or user wants to sign in to another cloud.
Second factor authentication can not be enabled in addition to SAML. Disable TargetR 2FA to use SAML.
Remember that by enabling SAML, you are trusting the security of the IdP. All users with a matching cloud also must trust the IdP.