After your IT team and Frontify Support have set up Single Sign On (SSO) access, the next step is to set up permissions for SSO users. There are 3 ways to manage SSO user permissions:
- Active Directory application access & limitations
- Smart Groups
- User Groups with SSO (group mapping)
1. Active Directory application access & limitations
Limiting access to Frontify can be done from your company's Active Directory. This is done using user groups in the Active Directory. For example, users in the Marketing department might be in the user group 'marketing' and those in Sales in the 'sales' user group.
SSO setup connects your Active Directory to Frontify. This way all employees in the Active Directory can log in to Frontify with their SSO credentials and without having to be invited. Your IT department can limit access, however, and only allow certain user groups to log in to Frontify with SAML, instead of your entire company's Active Directory. For example, the user group 'engineering' might not have access, while 'design' would be granted access.
Note: The Frontify user list will not pull in all Active Directory users automatically. Users will only appear on the Frontify usage page after they have logged in for the first time.
2. Frontify Smart Groups
You are probably already familiar with Frontify User Groups. Individual users are manually added to these groups.
With Smart Groups, users are automatically included in the groups. Frontify Support and your Customer Success Manager must help you set up Smart Groups.
SmartGroups automatically include users based on certain selected filters that make the most sense for your Frontify environment. These include:
- All logged-in users
- Users based on email domain (include/exclude specific email domains)
- Mode of last login (SSO or username/password)
- Mode of user account creation (through SSO or by invitation)
- Country/region information (two-letter-code)
After setup of your SSO, you can use SmartGroups to give all SSO users access to a project(s) within Frontify. This way, if a new user logs in via SSO (vs. invite), they will not see an empty Frontify dashboard, but, for example, your company's main Style Guide.
3. User Groups with SSO: Your Active Directory + Frontify
A third option for managing SSO users is to pair your company's Active Directory (AD) user groups with Frontify groups to map Active Directory user groups to Frontify groups.
With group mapping, you tell your Active Directory to include users in a specific Active Directory user group in a Frontify user group.
For example, a user in the Marketing department might belong to the Active Directory user group marketing. You can then create a group in Frontify called, for example, "Marketing" and use SSO Group Mapping to specify that you only want users from the Active Directory user group marketing to belong to this group. When a user from this user group logs in to Frontify, they will automatically be added to the Marketing group and have access to all the projects that group has access to.
Note that after you have mapped Active Directory user groups to Frontify users groups, users will only appear as part of that group only when they log in after the mapping has been done.