Canto Integration, Setup and Preferences
      Back to home
      1. Knowledge Base
      2. Canto Integration, Setup and Preferences

      How do you set up SSO in Canto?

      This Article will inform the process we take to activate SSO on your Canto

      Written by Brayden Best, databasics CX Consultant 05/12/2022

      We provide all the information and steps involved when it comes to setting up Single Sign On for streamlining the Single Sign On process (SSO).

      Our IT Consultant would go through these questions before starting the process, so to fast track the process of getting SSO activated we have provided this article for collecting the necessary information.  Please be aware that the SSO stage should be the last step of the migration/activation process as once it becomes active it will be the only way to log in, it will cause all external Canto account users to be blocked off.

      When databasics contact Canto Support, they require customers to answer the below questions for configuration set up.

      1. What identity provider (IDP) are you using, e. g. ADFS, Azure or G-Suite? (Azure AD, Hybrid Sign on)
      2. Who should be able to log in to Canto? IDP users only or your IDP users + users that have been manually created in Canto and are not part of your IDP environment (e.g. agencies, partners or customers, Australia based, Europe, etc.)?
      3. Do you want to manage Canto roles for your IDP users within your IDP or in Canto?
      4. Do you want to manage Canto groups for your IDP users within your IDP or in Canto?

      Note: We recommend the below for questions 2-4:
      2. hybrid mode for the initial setup, but move to SSO only
      3. Manage role in IDP
      4. Manage group in Canto


      2. While there is an option that allows you to use hybrid mode login, we don't recommend using it unless you really need it, because by having both SSO and Canto login users enabled, it can easily become dysfunctional if the person who manages the users forgets to update the details, It has more often than not become mismanaged due to staff turnover.  Let's keep it simple.

      3. databasics recommend that the management of your Canto roles are to be done in IDP so that users can be managed by your company's IT team. However, if the hybrid mode is still necessary, then it would be easier to manage all users in Canto. 

      4. Canto group is a Canto in-built feature that prevents people from selecting a single user but a group instead, this is for certain access permissions allocated to groups of people, it should only be managed in Canto.


      Transparency in Canto's Role 

      Once these questions are answered, Canto will need you to provide the federation xml, as requested on the support page along with the answers to the above questions, Canto Support can get SSO set up. 

      Note: For any customer who is integrating SSO with Azure AD, we also need the group unique id from your Azure AD.


      Canto and SSO login initially will both be enabled, do not use the SSO yet during this phase as it will not work, then we will contact canto to setup role management to Identity providers.   On the Canto support end they must then setup the following from the information you have provided:

      • Role management in their IDP
      • Canto group management in Canto
      • Have hybrid mode activated (both Canto and SSO login)
      • SSO Consumer's are able to open the main library

      Once completed we will be notified of the completion by Canto, and then contact you on the result to test and find out any error messages that could arise.   If the Hybrid mode is no longer needed, we will deactivate it for Single Sign On to become the only functional sign in process.

      For additional resources please see the Single Sign On Article provided by Canto.