SAML & SSO for Brandfolder

With SAML (Security Assertion Markup Language), you can quickly implement a seamless authentication process for all your Brandfolder users.

Brandfolder Image

We can connect with any SAML 2.0 authentication provider. Some of the providers include:

• Azure
• Okta
• OneLogin
• IBM

Options for user access:

1. General Access Setting - You can enable general access for all users. 

This is done through the UI by navigating to the Organization level > Settings > Manage Users. 

• Select the Organization, a specific Brandfolder, or a Collection you want users to access.
• You will find a drop-down for Default Permission Level in the top right-hand corner. Here you can select None, Guest, or Collaborator.
• When this setting is enabled, any user who logs in through SAML will automatically have access to a specific Brandfolder and/or Collection to that particular permission level.

Be super careful when adding default permissions at the Organization and Brandfolder levels.

2. Team Access Settings - Teams allow a specific group of users set up within the IdP to gain a specific level of access within Brandfolder. This allows some or all users to be divided into separate teams (or departments) for different privacy levels across different Brandfolders and Collections.
   • You can accomplish this by releasing a custom attribute in the SAML response named teams with the associated group value.
   • You can also release a specific claim using ADFS as your IdP. 
   • Once the configuration is complete, use the Team Configuration sheet as a guide. Create your own and send it to Brandfolder support or your designated Brandfolder contact. 
   •  This document must include:
     • Team Value (the group name)
     • The access level the team value should receive (Organization, Brandfolder, Collection)
     • The permission level the team should receive (Owner, Admin, Collaborator, Guest)
3. Custom Access - If the two options above do not work for your use case, an organization administrator can add a user to a specific Brandfolder or Collection outside the traditional team/general access granted. You can learn more in the User Management, Invitations, and Messaging article. 

Attributes for user profiles 

• We require the nameid for the user to be an email address.
• We recommend passing the user’s first name: givenname, and last name: surname.
• You can also pass along the company, title, and department associated with a user. 

The options in the arrays below are potential values that Brandfolder looks to map off of. These options are beneficial when tracking analytics around your assets. 

def self.userattr_samlattr_mapping { "first_name": ["first_name", "firstname", "givenname"], "last_name": ["last_name", "lastname", "surname"], "company": ["company", "company_name"], "title": ["title"], "department": ["department"] } end

Brandfolder and SSO 

SSO (Single Sign On) is another option for user authentication through Brandfolder. SSO allows clients to integrate whichever user account system they have in place with Brandfolder to reduce the number of passwords and login screens users have to manage.