Set Up Single Sign On (SSO)

Context

Signing in with Single Sign On (SSO) is one of four ways to sign into Demandbase One (SSO, password, Google, or Salesforce). If you set up your users to sign in with SSO, the other methods become unavailable to them. See Log in to Demandbase One for further detail.

Important: Setting up SSO for login is optional.

Prerequisites/Preparation

To connect to the Demandbase Platform, you must:

• Use an SSO system that supports SAML 2.0, such as OKTA
• Be able to input a Relay State URL (usually only a challenge for homegrown solutions)

Steps: Setup

1. Create a stub application in the SSO provider system.
2. Provide the following information to your Implementation team:
   
   • IdP Issuer URI
   • IdP Single Sign-On URL
   • IdP Signature Certificate
   •  Email domain used by the company (e.g., @demandbase.com or @an.demandbase.com)
3. The Demandbase team creates a corresponding Identity Provider and Routing Rules, then share the following information back with you:
   
   • Assertion Consumer Service URL
   • Audience URI
   • Relay State URL
4. Go to the stub application you’ve created in your SSO provider and enter the information provided by Demandbase to finish configuring the connection.

Steps: Testing

1. Confirm that the setup steps are complete and ask Demandbase to enable the connector, either for a specific individual conducting the testing or for the whole team.
2. Test the connection in two ways:
   
   • Navigate to the Demandbase Platform from your SSO homepage.
   • Log out of SSO and navigate to https://web.demandbase.com.

Steps: Deployment

1. Communicate to the team that their login experience will change to sign in with SSO, and they cannot use other methods.
2. Make sure to create users before their SSO connection will work. (Some SSOs use Just-In-Time Provisioning, which Demandbase does not support. For new employees, create the user in Demandbase One before they can log in. If you want an exception to your tenant-level rule, for example, a contractor with a different email, contact Support to create an exception.)
3. (Optional) If you’re using a system such as OKTA, you can include a Demandbase image file for the tile.

Troubleshooting

If a colleague is unable to sign in with SSO, check these first:

• User is signing in from the SSO tile, or from the correct web site: https://web.demandbase.com
• You created them as a user
• If the user, such as a contract worker, does not use your domain, contact Support to make an exception.