Inkling supports on-demand creation and authentication of Inkling library users using SAML 2.0 Single Sign-on (SSO). Implementing SSO automates and streamlines user data uploads and user authentication. Your users will not need to remember a separate set of login credentials to access their library.

SAML 2.0 SSO does not support disabling user accounts. You must submit a CSV file to deactivate users.

This topic provides information on the data we require to set up and test your SSO implementation, and also describes different landing and logout page options for your users.

Getting Started

To get set up to manage users with SSO, first work with your Inkling representative and your SAML identity provider (IdP) to determine if the IdP meets the minimum requirements:

1. Confirm that your IdP uses the SAML 2.0 protocol and supports TLS v1.2.

   Inkling provides SSO within our applications only to IdPs that support the required protocol.
   Apple requires TLS v1.2 for iOS v9+ devices. If your IdP supports only TLS v1.0 and v1.1, users on iOS 9+ devices will be unable to log in to their Inkling library.

2. Confirm that your IdP can transmit all user attributes your organization needs for the Inkling Distribution Rules functionality to work.

   If your provider cannot transmit all the attributes required by your organization, you must submit a CSV user data file to create user accounts.

If the IdP does meet the minimum requirements described above, then complete these remaining steps:

1. Determine if there are existing users in the system who need new or secondary SSO accounts. 

   Your organization may have users who were previously added using a CSV file or the Habitat interface. These users will need new accounts to avoid duplicate accounts.
   Your organization also may have Habitat users who want to access the Inkling library using a separate SSO account. These users will need two accounts: A non-SSO account for Habitat and an SSO account for the Inkling library.

2. Decide whether to turn on Automatic User Provisioning (AUP).

   If you enable this option, Inkling will automatically create new user accounts for unrecognized users during their initial login. You must provide Inkling with details of which SAML claims to use to populate the mandatory user attributes. See Understand the Inkling user data model.
   For Inkling customers who have elected to enable AUP, users previously deactivated via user import methods will be automatically reactivated upon a subsequent valid login request originating from their IDP. This eliminates the need for User Admins to reactivate deactivated users via user import when they have proper login permissions granted via their IDP.

3. Decide whether to enable Automatic Capture of User Attributes (ACUA).

   If you enable this option, Inkling will automatically capture custom attributes sent by SAML when users log into Inkling.

4. Determine if you must send Inkling a supplemental CSV file of user data.

   If either of the following is true, you must submit a CSV user data file to create user accounts:
   • You do not enable AUP.
   • You do not enable ACUA, and you use Inkling Distribution Rules functionality to distribute published content.

5. Provide Inkling with your SSO IDP service.
6. Decide on landing page and logout page experiences for your users.

7. Create a company code for user authentication.

   Your users need to enter this code to access their content.

8. Provide test user data to Inkling for SSO configuration testing.