Canto Integration, Setup and Preferences
      Back to home
      1. Knowledge Base
      2. Canto Integration, Setup and Preferences

      How do you set up SSO in Canto?

      This Article will inform the process we take to activate SSO on your Canto

      We provide all the information and steps involved when it comes to setting up Single Sign On to streamline the Single Sign On process (SSO).

      Our IT Consultant would go through these questions before starting the process, so to fast-track the process of getting SSO activated we have provided this article for collecting the necessary information.  Please be aware that the SSO stage should be the last step of the migration/activation process as once it becomes active it will be the only way to log in, it will cause all external Canto account users to be blocked off.

      When databasics contact Canto Support, they require customers to answer the questions below for the configuration set-up.

      1. What identity provider (IDP) are you using? 
        e.g. Azure AD (Entra ID), ADFS, Okta or G-Suite?
      2. Who should be able to log in to Canto? 
        e.g. Users within your organisation only, or Users within your organisation + users that do not have your organisation's login but require access to Canto (e.g. agencies, partners or customers)?
      3. Do you want to manage Canto roles for your IDP users within your IDP or in Canto? 
      4. Do you want to manage Canto groups for your IDP users within your IDP or in Canto?
      5. Do you allow your consumer to access the Main Library of Canto, where all content is displayed? 

      Note: We recommend the below for questions 2-4, but it is still up to the customer how they would like to setup their SSO:
      2. Hybrid login mode
      3. Manage role in IDP
      4. Manage the group in Canto

       

      3. databasics recommend that the management of your Canto roles are to be done in IDP so that users can be managed by your company's IT team. However, if the hybrid mode is still necessary, then it would be easier to manage all users in Canto. 

      4. Canto group is a Canto in-built feature that prevents people from selecting a single user but a group instead, this is for certain access permissions allocated to groups of people, it should only be managed in Canto.


      Transparency in Canto's Role 

      Once these questions are answered, Canto will need you to provide the federation xml, as requested on the support page along with the answers to the above questions, Canto Support can get SSO set up. 

      Note: For any customer who is integrating SSO with Azure AD, we also need the group unique id from your Azure AD.


      Canto and SSO login initially will both be enabled, do not use the SSO yet during this phase as it will not work, then we will contact canto to setup role management to Identity providers.   On the Canto support end they must then setup the following from the information you have provided:

      • Role management in their IDP
      • Canto group management in Canto
      • Have hybrid mode activated (both Canto and SSO login)
      • SSO Consumer's are able to open the main library

      Once completed we will be notified of the completion by Canto, and then contact you on the result to test and find out any error messages that could arise.   If the Hybrid mode is no longer needed, we will deactivate it for Single Sign On to become the only functional sign in process.

      For additional resources please see the Single Sign On Article provided by Canto.