Single Sign-On Support

Single Sign-On (SSO) in DonorPoint refers to the ability for workplace constituents to log in to DonorPoint forms using their company logins.  When someone in a company set up for SSO accesses a DonorPoint form form their workplace, DonorPoint will check if they are logged into the company's domain.  If the person is logged in DonorPoint will redirect them immediately to the DonorPoint form, without requiring them to login with an additional DonorPoint username and password.   If the person is not logged into their company's domain, they are redirected to their familiar company login screen.  After the successfully log into their company's domain, they are then redirected to the DonorPoint form without requiring an additional DonorPoint login.

Single Sign-On greatly improves the workplace campaign experience:

  • It takes fewer clicks and steps to make a donation, register for an event, etc.
  • Employees do not have to remember yet another login name and password
  • The workplace can adhere to its own security and privacy rules

How Does SSO Work?

Single Sign-On support in DonorPoint is based on an internet standard technology called SAML, which is supported by most modern Identity Management Systems.  This allows DonorPoint to support SSO for most workplaces using common 'out of the box' configuration parameters.

Using SAML DonorPoint is set up to 'trust' the company's Identity Management system to tell DonorPoint who is logged in, without DonorPoint having to verify that via its own login and password form.  When someone accesses a company's internal DonorPoint form, DonorPoint 'asks' the company's identity management system for the current logged in user.  If the person is logged into the company's domain, the identity management system immediately returns to DonorPoint with the person's identity, and DonorPoint proceeds as if the person had logged in via DonorPoins own login form.  If the person accessing the form is not logged into their company systems, they are prompted to do so.  Once the employee is logged into the company domain, the company's identity management system replies to DonorPoint with that person's identity.   DonorPoint then proceeds as if the person had logged in via DonorPoint's own login form.

Note that DonorPoint still requires a record in its database to define the employee and what they can see and do, so SSO support does not bypass the need to create or import records for employees.

SSO Setup

DonorPoint is compatible with Identity Management systems that support the SAML 2.0 protocol.  Setup involves setting metadata in both DonorPoint and the company's identity management system.

SAML metadata from DonorPoint is available via a public page which can be found on the workplace campaign form's Sharing tab:

Many identity management systems can read the information they need to trust DonorPoint from the metadata link itself.

DonorPoint needs the following information from the identity management system:

  • EntityID:  the identity manager's Identity Provider EntityID.
  • Single sign-on service URL:  the URL in the identity management system for login requests from DonorPoint.  This must support HTTP-Redirect binding.
  • X.509 certificate: the identity manager's Identity Provider public security certificate.

Optionally the following may also be submitted:

  • Security signature algorithm:  DonorPoint supports rsa-sha1 by default.
  • Force Authn: whether to force authentication on each initial form access.  By default DonorPoint will only attempt to re-authenticate after 15 minutes of inactivity.
  • Account prefix: text to prepend to the NameID returned by the identity management system to create the DonorPoint username.

Additionally the identity management system and DonorPoint must agree on the format of the user name that is returned by the identity management system.  DonorPoint expects the NameID parameter to be returned and match a DonorPoint user account.  This means that username field in employee import files and the NameID defined in the identity management service must match.