1. Principles Help Center
  2. Administrator Resources

Configure SSO (Enterprise clients only)

If you have signed up for one of our Enterprise plans and your team or company uses an identity provider (such as Active Directory, Azure AD, LastPass, Okta, OneLogin, SecureAuth, Entrust Identity, etc.), you can optionally configure it with PrinciplesUs. This will need to be done by an Administrator of your Enterprise organization. 


Follow these steps to configure SSO for your account: 


1) Navigate to the Administration tab of the application and select SSO. 

2) Provide a Login Subdomain and Refresh Token Expiration. 

  • Login Subdomain - This is the URL your organization will use to access PrinciplesUs. We recommend that this be similar, or the same as, your team or organization name. If you don’t remember the name of your team or organization, you can find it in the Settings tab of Administration. 
  • Refresh Token Expiration - This is how long users will stay logged in before they are logged out and required to log in again. This is set to 30 days by default. 



3) Select between one of the following authentication protocols: Security Access Markup Language (SAML) or OpenID Connect (OIDC). 

4) Configure your identity provider (IdP) by filling out the required fields. All required fields can be found in the Administration console / dashboard for your identity provider. If you’re not sure where to find any of the required fields, please contact support for your particular identity provider. 

Your identity provider may also need the following field(s) while setting up the connection: 


SAML


Single sign on URL: https://principles-prd-primary.auth.us-east-1.amazoncognito.com/saml2/idpresponse


Audience URI: urn:amazon:cognito:sp:us-east-1_LNfGXNssl




OIDC


Sign-in redirect URI: https://principles-prd-primary.auth.us-east-1.amazoncognito.com/oauth2/idpresponse




5) Provide field mapping information for users. These are fields that contain user-related information that will get pushed to PrinciplesUs. The field names (also called mappings) can be found in the Administration console / dashboard for your identity provider.  If you’re not sure where to find these fields, please contact support for your particular identity provider. 

  • Field Name for User’s Name - This should be the field name for a user’s display name
  • Field Name for Unique Identifier - This should be the field name for a user's unique ID.
  • Field Name for Email - This should be the field name for a user’s email address. This is the email they will use to sign in with.

Once set up properly, anyone who belongs to your company or group’s organization will be required to log in to their Principles account using your preferred identity provider. They can do this by going to the login subdomain you have chosen in step 2 above.