Access the necessary documentation
To enable an SSO connection for your organization, access the necessary instructions for your identity provider. These are available within our Help Center.
Give access to integration page to the person leading the SSO integration
By default, only Chartbeat account owners have access to the Authentication page, which is required to complete an SSO integration. If someone other than the account owner will be leading the integration, create an account for them with the “IAM Admin” role (or update their existing Chartbeat account with the IAM Admin role access) from within our User Management interface.
The IAM Admin role will have access to the authentication page and settings, but not the rest of your Chartbeat dashboards and features.
Plan for how you’ll want to roll out
Chartbeat supports two types of SSO enforcement: Optional and Required.
When SSO is marked as Optional, users have the option to link their accounts and use SSO, and when marked as Required, users must link their accounts to log in using SSO in order to log into Chartbeat. (Note: This is a global setting available at the account level, not at an individual user or domain level.)
By default, SSO connections are enabled as Optional, but users with access to the Authentication page can change this setting whenever desired.
Most customers will start with SSO as Optional during rollout and then move to Required once all users have been migrated to SSO. When SSO is set to Required, a user who has not yet linked their Chartbeat account to the IDP will be prompted to link at their next login, or if logged in, when navigating to a new page inside of Chartbeat (see below screenshot).
Adjust any user’s emails who won’t match
In order to link a Chartbeat account to the account on your Identity Provider, the email used in both systems will need to match exactly. The causes of these mismatches are often different domains used in each system -- i.e. firstname.lastname@example.org vs. email@example.com. If you suspect that your overall user base will include a number of these mismatched emails, we recommend doing an audit for affected users, changing their Chartbeat login to match the IDP email, and letting the user know that they should use their new email going forward. This audit and update step will prevent individual users from running into errors later in the process.
Migrate off shared accounts
If your organization is using shared logins currently, migrating to SSO will involve transitioning users to their own logins. If you have a significant volume of individual users making this switch, we recommend working with Chartbeat’s Support team to ease this transition, so that our team can help you bulk create users and also ensure they have proper domain/tool permissions set up.
Contact your team’s Chartbeat Implementation Engineer to let them know, via a CSV, which users need to be created and what permissions they should have — we can set those users up with proper permissions in bulk.
Let users know about SSO
Once you have your SSO connection established and you’re ready to roll out, you’ll want to let your users know that this is now an option. Your communication to users may vary, depending on a couple of factors:
- Whether you’re setting SSO to Optional or Required
- Whether the user already has an individual login or if they’re migrating from a shared account
To help with this transition and communication, Chartbeat has a set of email templates available for your use.
Chartbeat’s User Management interface reports users’ authentication method as SSO or Username/Password, and this data is also available in CSV form by downloading from User Management. We recommend using these tools to monitor which users have enrolled for SSO and which users still need to be transitioned.
Handle Big Board access
Many organizations have Chartbeat’s Big Board on monitors in their newsrooms. If you migrate to SSO, you may need to update the URLs in use for those Big Boards, so that they’re not getting repeated SSO login prompts.
Follow our best practices for large format displays and digital signage, which spells out what’s required. If you’re already following these guidelines, you won’t need to make additional changes.
(Optional) Set up SCIM provisioning
Learn more about lifecycle management here.