Ambassify allows customers to connect their existing authentication services to those of Ambassify using a few authentication protocols like SAML, WS-Federation, and OAuth. This means that these customers' advocates can log in to Ambassify's platform with their existing login credentials.

With single sign-on (SSO), users can sign in using their corporate credentials to access multiple systems and service providers, including Ambassify.

For example, a company using Google's "G Suite" could let their employees log in to Ambassify utilizing the e-mail and password they usually use to access their company e-mail account.

Another common use case is a company where all user authentications are managed by a corporate authentication system such as ADFS or Azure AD (generically referred to as an identity provider or IdP).

Ambassify establishes a trust relationship with the IdP and allows it to authenticate and log users into Ambassify.

Other examples could be a customer having a webshop or forum where their users can log in. Logging in to Ambassify would be much easier for these users if they could use their credentials from the webshop or forum. This becomes possible if the webshop or platform supports any of the Single Sign-on protocols supported by Ambassify.

Another massive advantage of using SSO authentication is that it can allow a customer to skip sending community invites to all their advocates before they can access the Ambassify platform.

Once the SSO has been set up, the customer can enable "automatic advocate accounts." This will let anyone who can log in using their IDP credentials (so anyone who exists in the customer's database) log in to the Ambassify community without having to receive an invite link first. The customer is in control and can decide which users in their database should receive permission to access Ambassify.

While creating new Ambassify accounts for everyone who logs in automatically is possible, account synchronization isn't part of the default SSO setup. This means that once an Ambassify account has been connected to its counterpart on the customer's IDP, it won't get updated anymore if data on the IDP changes. This also means that when an account is deleted on the IDP, it will not be deleted in Ambassify. The Ambassify user will be able to keep using their account as long as they're still logged in but won't be able to log in using the SSO connection anymore.

We do offer support for customers with Enterprise SSO to create automatically,

update, and delete Ambassify users based on the data in the customer's own user database (e.g., Active Directory.)

To make this work, the customer's end of the connection needs to support the SCIM protocol as well.

If you are interested in learning more about this specific feature, you can contact your Customer Success Manager.

Next to the SAML protocol, we also support OAuth, OpenID Connect, and WS Federation out of the box. Other protocols will need further investigation first.

SSO authentication is not included in our plans but is available on demand. If you are interested in this feature, please reach out to your Customer Success Manager or Account Manager, and we can give you all the necessary information about the costs and the set-up.