Depending on the way of you choose to manage your Canto roles there are two different scenarios:
Scenario 1 - Managing the user account in your Identity Provider (IDP)
If your SSO integration was chosen to be managed by your Canto role in Identify Provider (IDP), such as Azure AD, ADFS, and Okta your IT team needs to assign your Canto users to the relevant Canto AD group. Please note that the Canto AD group was set up and the IDP was chosen during the SSO setup phase. There should be three AD groups set up in your IDP: CantoAdmin, CantoContributor and CantoConsumer, these AD groups correspond to Canto user roles, so if a user needs to be an admin user, the IT team needs to assign the user to CantoAdmin AD group.
After the user has been assigned to the CantoAdmin AD group, they should then ask the user to go to their Canto Login page and click the “Login using SSO” button to log in with their organisation account, with a successful login, a new user entry with “SSO” login type should be registered in the Settings -> Users (As shown below).
Scenario 2 - Managing the user account in your Canto instance
If your SSO integration was chosen to manage your Canto role in Canto, you need to ensure you have both in-built login and SSO login enabled at the same time, the first admin user needs to login to Canto with the “Login using SSO” button to register yourself a user entry, by default, the user account logged in with SSO will be created as consumer user.
Open with a different browser or log out with your existing logged-in account in the current browser, log in with the regular “login” button for their in-built admin account, and assign the SSO user to the “Admin” that you just created.
Logged out of your current logged-in account, and logged back in with the SSO admin user, check if you can now access “Settings” by hovering your mouse cursor over the avatar icon located at the right top corner of your browser window, if yes, you may now remove your Admin account that is using the in-built login which has a “Canto” login type on the user list (As shown below).
For both scenarios, we will enable both the in-built login and SSO login during the process that the customer is setting their user up, this process is meant to reduce the downtime during the setup if anything goes wrong so that the customer will still be able to access their Canto Library even the SSO has been setup incorrectly. Once the user successfully logs in with SSO, you will be able to confirm if the SSO integration has completed successfully.