All Collections
Pantone Connect SSO
Pantone Connect - SSO User Guide
Pantone Connect - SSO User Guide

Setting up SSO configuration

L
Written by Lucas Hedgecock
Updated over a week ago

Pantone Connect Automated SAML2 Configuration

In this document you will find the following details for setting up Pantone Connect SSO.

  • SAML configuration and attributes mapping for production.

  • How to setup SAML2 in Pantone Connect

  • Troubleshooting

SAML configuration and attributes mapping for your IdP.

Feel free to use any identity provider of your choice. The how-to for the most popular identity platform solutions can be seen below:

First, go to your identity provider's configuration panel and follow the provider's instructions to configure Single Sign-On.

Then be sure to add the following data (depending on the identity provider, you may have more or fewer fields to be filled out. We recommend skipping optional fields or setting everything to default values).

Specs (metadata)

Protocol

SAML 2.0

Binding

HTTP Redirect for SP to IdP
HTTP Post for IdP to SP

The service URL (SP-initiated URL)

(aka Launch URL, Reply URL, Relying Party SSO Service URL, Target URL, SSO Login URL, Identity
Provider Endpoint, etc)

https://authconnect.pantone.com/saml2/idpresponse

Assertion Consumer Service URL 
aka Allowed Callback URL, Custom ACS URL, Reply URL)

https://authconnect.pantone.com/saml2/idpresponse

Audience URL or Audience Restriction

urn:amazon:cognito:sp:us-east-1_Kz8N0hVys

Signing Requirement

An unsigned SAML Response with a signed Assertion
A signed SAML Response with a signed Assertion.

Subject Confirmation Method

urn:amazon:cognito:sp:us-east-1_Kz8N0hVys

Required User Credentials (Claim Types)

Email

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

FirstName

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

LastName

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

How to setup SAML2 in Pantone Connect

When you’ve successfully setup your IdP with the metadata provided below and your organization has purchased Multi-Seats with SSO package, your organization should be entitled to configure Single Sign On.

You should follow next steps to set up SSO through Pantone License Management:

  • Navigate to https://licensing.pantone.com/ .

  • Log in. If you are already logged in, make sure that you are logged in as Organization Admin.

  • On the navigation menu, click on Single Sign On (SSO) navigation Menu

Graphical user interface, text, application, Teams Description automatically generated

In the Single Sign On tab, the organization admin should be able to see the following information.

  • Identity Provider Number: (This is a pre-generated number that is unique identifier for your organization)

  • Authorized Domains: These contain all the domains that you have allowed for each Team created in License Management. This is a prepopulated field, and to modify domains, organization admin should follow this tutorial found here.

  • Upload SAML2 Metadata Configuration file: Drop field for uploading SAML configuration files.

Once the Organization Admin extracts and uploads the SAML2 Metadata Configuration file from the IdP, and clicks save, the SSO should be successfully set up for the organization.

Troubleshooting

I have logged into the Licensing Management tool, but my Single Sign On button is disabled:

This issue is an indicator that you haven’t yet created an Organization. To resolve this issue, you should create the Organization before you set up SSO.

I have logged into the Licensing Management tool, but I cannot find the Single Sign On button.

This issue is an indicator that you might have logged in as the Team Admin, rather than Organization Admin. Since SSO Configuration is only available for Organization Admins, you need to be sure that you are signed in as the Organization Admin

I have logged in to the Licensing Management tool, and whenever I click on Single Sign On button, I am redirected to the create team page.

This issue is an indicator that you don’t have a team created yet. Since SSO works with authorized domains, you will need to have a whitelisted domain to set up SSO, and to have a domain, you will need to create the team. To resolve this issue, you need to create a team and assign the domain to that team.

I want to make changes in the Authorized Domain, but SSO configuration does not allow me to do that.

Since SSO configuration is fetching all domains from the teams that you have created in Licensing Service, you will need to change the domain in the team and then update SSO config. You can follow this tutorial to do that (*)

I cannot create or find my IdP SAML2 Metadata configuration file.

The metadata configuration File is created by your identity provider after you have successfully set up an application there. Here is more information on where you can retrieve the metadata information for different providers.

Okta:

https://support.okta.com/help/s/article/Location-to-download-Okta-IDP-XML-metadata-for-a-SAML-app-in-the-new-Admin-User-Interface?language=en_US

Azure AD:

On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer.

The Certificate download link


Did this answer your question?