Skip to main content
You have permission to edit this article.
Edit

SAML 2.0 FAQ

What is SAML 2.0?

Security Assertion Markup Language (SAML) is a standard that allows users from an identity system (such as Microsoft’s Active Directory Federation Services) to log into a service provider (such as BLOX CMS) using the same login session.

Using this technology, news organizations can enable Single Sign-On (SSO), which allows their users to log in once and then those same credentials can be used to log into multiple other service providers.

For BLOX CMS partners, there are significant advantages to this:

The management of user accounts can happen in the partner’s pre-existing identity system, meaning that new users only need to be added once, in one system.

Additionally, SAML and SSO are very important to any enterprise cybersecurity strategy. Identity management can be limited to one system, and users who need to have their access revoked or changed can also be done easily in one place. This reduces the chance that an old, inactive account is lingering around and able to be compromised.

User permissions, such as which sites a user has access to on BLOX CMS, can be managed within the Active Directory system and communicated to BLOX CMS.

Adding a user to multiple BLOX CMS sites can happen all at once, instead of having to go through multiple BLOX CMS sites in order to add users and permissions.

Users don’t need to remember multiple usernames and passwords. Everything is managed in the secure Active Directory system.

Two-factor authentication, or other security initiatives, may be implemented in the identity management system, thus making the BLOX CMS login more secure.

 

What is an identity management system?

Identity management, or identity and access management (IAM) is a framework that allows users to authenticate and authorize their access to multiple applications or systems.

Many news organizations use a form of identity management to manage their users, such as Microsoft's Active Directory Federation Services (ADFS), which will work with SAML 2.0.

Any identity management system that fully supports SAML 2.0 should work with the BLOX CMS SSO implementation.

 

How does the Single Sign-On work?

Once the system is set up, a user will go to the BLOX CMS admin login screen and enter their email address. The system will recognize the domain name of their address is related to a SAML integration, and will then redirect that user to their identity management portal to log in.

After they log in, they are directed back to BLOX CMS with an authorization token. BLOX CMS recognizes this token and allows them to log in.

 

What about disabling an account?

Disabling an account’s access within the identity management system will prevent the account from accessing the BLOX CMS admin.

At this time, existing login sessions will not be automatically affected, but the next time the user attempts to log in access will be lost. Site admins may manually ban or downgrade specific user profiles if needed to make the change more immediate.

 

What is a required authentication service?

A site may be optionally configured to require that its admins be authenticated through one or more known identity providers (see Configuration). A non-staff admin who logs in with a password or mismatched identity provider will not be allowed access to the site. This may be a soft block or the equivalent of an auto-provisioning loss of access, depending on business needs.

 

What are the limitations?

An account which is authenticating through an identity provider will not be able to use the "Forgot your password?" feature. Site admins will also be unable to set a new password on such accounts through the admin interface.

NOTE: For InDesign, you need to set your authentication token in 2FA settings and use that instead of the password.

 

Does this work for TotalCMS?

TotalCMS appliances are not supported at this time.

Once enabled, any account must have an account on the identity provider to log in. External accounts like bloggers or freelancers must therefore be set up in the identity provider first.

Using this technology, news organizations can enable Single Sign-On (SSO), which allows their users to log in once and then those same credentials can be used to log into multiple other service providers.

For BLOX CMS partners, there are significant advantages to this:

The management of user accounts can happen in the partner’s pre-existing identity system, meaning that new users only need to be added once, in one system.

Additionally, SAML and SSO are very important to any enterprise cybersecurity strategy. Identity management can be limited to one system, and users who need to have their access revoked or changed can also be done easily in one place. This reduces the chance that an old, inactive account is lingering around and able to be compromised.

User permissions, such as which sites a user has access to on BLOX CMS, can be managed within the Active Directory system and communicated to BLOX CMS.

Adding a user to multiple BLOX CMS sites can happen all at once, instead of having to go through multiple BLOX CMS sites in order to add users and permissions.

Users don’t need to remember multiple usernames and passwords. Everything is managed in the secure Active Directory system.

Two-factor authentication, or other security initiatives, may be implemented in the identity management system, thus making the BLOX CMS login more secure.

 

What is an identity management system?

Identity management, or identity and access management (IAM) is a framework that allows users to authenticate and authorize their access to multiple applications or systems.

Many news organizations use a form of identity management to manage their users, such as Microsoft's Active Directory Federation Services (ADFS), which will work with SAML 2.0.

Any identity management system that fully supports SAML 2.0 should work with the BLOX CMS SSO implementation.

 

How does the Single Sign-On work?

Once the system is set up, a user will go to the BLOX CMS admin login screen and enter their email address. The system will recognize the domain name of their address is related to a SAML integration, and will then redirect that user to their identity management portal to log in.

After they log in, they are directed back to BLOX CMS with an authorization token. BLOX CMS recognizes this token and allows them to log in.

 

Disabling an account

Disabling an account’s access within the identity management system will prevent the account from accessing the BLOX CMS admin.

At this time, existing login sessions will not be automatically affected, but the next time the user attempts to log in access will be lost. Site admins may manually ban or downgrade specific user profiles if needed to make the change more immediate