启用单点登录

概述

Branch为操作后台提供了安全性声明标记语言(SAML)/单点登录(SSO)支持。这使您可以使用身份提供者(IdP)集中访问团队中的各种服务,并利用现有的目录系统和安全组。

先决条件

  1. Single Sign-on for the Branch dashboard is a paid feature.
  2. Branch works with Okta and OneLogin, and is compatible with any identity provider that supports SAML.

Setup SSO

1. Contact Branch

分支仪表板的SSO将对指定电子邮件域的访问限制到特定的仪表板子域。准备开始使用时,请与您的客户经理联系。请提供:

  1. 您和您的团队使用的电子邮件域 ,将需要通过SSO登录。
  2. 您希望团队用来登录的Branch仪表板子域例如,如果选择company ,则您的仪表板子域将是https://company.dashboard.branch.io
  3. The email addresses of any SSO admins that will be allowed to configure SAML for your team. These SSO admins will also be allowed to log in both via SSO and via regular dashboard login after SSO is enabled so that you have a fallback option to gain access to your account if the configuration goes wrong in some way.

2. Add Branch to your Identity Provider

  1. Add Branch to your IdP - Add the following SAML attribute mappings:
SAML Attribute
Field it Should Map to in Your IdP

email

用户的电子邮件地址

firstName

用户的名字

lastName

用户的姓氏

以下是您的IdP可能要求的一些初始信息:

IdP字段

平台

网络

Sign-on method

SAML 2.0

Application name

Branch

ACS URL

https://<subdomain>.dashboard.branch.io/sso/callback

Audience URI

https://<subdomain>.dashboard.branch.io

SP Metadata

Once this is complete, your IdP will provide you with details that you'll need to add to the Branch dashboard in order to enable SSO.

3. Copy Your IdP Details Back to Branch

  1. When you have added Branch, your IdP should provide you with an Identity provider Entity ID, an Identity provider SSO URL, and a Public x509 certificate. From the Branch Dashboard, go to Account Settings > SSO and paste in the information to the corresponding fields. Click Save when you're done.
    a. If you do not see the above fields it's likely because Branch has not finished enabling your account yet. Please contact your account manager.

4. Add Users to Branch in Your IdP

  1. Give the appropriate users access to Branch in your identity provider.
    a. When you add users to Branch via your IdP in the future you will also have to add them to the team for the appropriate apps in the Branch dashboard. You can do this on the Account Settings > Team page for each app that you want the user to have access to.

Users on Branch But Not Your IdP

If users are on your Branch team in the dashboard but are not given access in your IdP they will no longer be able to log in to the Branch dashboard when SSO is enabled.

5. Enable SSO

  1. Continue to enable SSO by returning to the Account Settings > SSO page and toggle SAML/SSO to On.
  2. Click Save at the bottom.

SSO is now enabled and users will have to login via your branded subdomain. When users on your claimed email domain(s) trying to log in, reset password, or sign up the regular way via https://dashboard.branch.io, they will be redirected to your branded subdomain and your IdP login page.

常问问题

1. Is there a fallback option to sign in to the dashboard when SSO is enabled?
Yes! You can designate SSO admins that will be able to log in via your branded subdomain or https://dashboard.branch.io when SSO is enabled. These admins will be able to sign in with a password and turn SSO off if necessary. Contact your Account Manager to designate SSO admins.

In addition, users on your team that are not on your claimed email domain(s) will still be able to log in without SSO and access your Branch app. If this is not desired, be sure to remove these users from your team or add them to the list of claimed email domains.

2. Does Branch support just-in-time or SCIM account provisioning?
不是现在。一个用户可以属于多个Branch应用程序,因此管理员必须确定其声明的电子邮件域中的哪些用户此时应有权访问Branch中的哪些应用程序。如果您对'感兴趣,请通过客户经理告诉我们。

3. How much does SSO cost?
分支机构仪表板的单点登录支持是一项高级功能。请与您的客户经理联系以获取更多信息。注意:SSO不适用于试用订阅。

大约11 小时前更新

启用单点登录


建议的编辑仅限于API参考页

您只能建议对Markdown正文内容进行修改,而不能建议对API规范进行修改。