Ambassify allows customers to connect their existing authentication services to those of Ambassify using a few authentication protocols like SAML, WS-Federation, and OAuth. This means that these customers' advocates can log in to Ambassify's platform with their existing login credentials.
Single sign-on
With single sign-on (SSO), users can sign in using their corporate credentials to access multiple systems and service providers, including Ambassify.
For example, a company using Google's "G Suite" could let their employees log in to Ambassify utilizing the e-mail and password they usually use to access their company e-mail account.
Another common use case is a company where all user authentications are managed by a corporate authentication system such as ADFS or Azure AD (generically referred to as an identity provider or IdP).
Ambassify establishes a trust relationship with the IdP and allows it to authenticate and log users into Ambassify.
Other examples could be that the customer has a webshop or forum where their users can log in. For these users, logging in to Ambassify would be much easier if they could use their credentials from the webshop or forum. This becomes possible if the webshop or platform supports any of the Single Sign-on protocols supported by Ambassify.
Skipping community invites
Another massive advantage of using SSO authentication is that it can allow a customer to skip sending community invites to all their advocates before they can access the Ambassify platform.
Once the SSO has been set up, the customer can enable "automatic advocate accounts". This will let anyone who can log in using their IdP credentials (so anyone that exists in the customer's database) log in to the Ambassify community without having to receive an invite link first. The customer is in control and can decide which users in their database should receive permission to access Ambassify.
What isn't part of single sign-on
While creating new Ambassify accounts for everyone who logs in automatically is possible, account synchronization isn't part of SSO. This means that once an Ambassify account has been connected to its counterpart on the customer's IDP, it won't get updated anymore if data on the IDP changes. This also means that when an account is deleted on the IDP, it will not be deleted in Ambassify. The Ambassify user will be able to keep using their account as long as they're still logged in but won't be able to log in using the SSO connection anymore.
Supported protocols
Next to the SAML protocol, we also support OAuth and WS Federation out of the box. Other protocols will need further investigation first.
SSO authentication is not included in our plans but is available on demand. If you are interested in this feature, please get in touch with your Customer Success Manager or Account Manager, and we can give you all the necessary information about the costs and the set-up.