• All Files

Identity provider management

Third-party identity providers (IdP), including ADFS, Azure Active Directory, Google G-Suite, Okta, Ping Identity, and Salesforce, can be configured to work with Prysm. When an IdP is configured, Prysm customers can sign in to Prysm using a single sign-on (SSO) with their company-issued credentials. This makes signing in to Prysm easier for users, and it simplifies user management for Org Admins.  In addition, Org Admins can invite new users and specify that new users are automatically assigned Prysm licenses to make it easier to allow users to collaborate in Prysm.

Note: The Prysm Remote Touch Console is not supported for IdP users.

Before you begin to configure identity providers

Before you begin, make sure the following people are participating in the process:

  • Prysm Org Admin
  • Identity Provider Administrator
  • Optional: Active Directory Administrator

About security and identity providers

For reference information about the benefits of integrating an Identity Provider with Prysm, see Enhancing security and user authentication.

Note: If you have a legacy Active Directory integration and you want to leverage a modern Identity Provider integration for user authentication, you must turn off the Active Directory setting in Admin Portal in the settings profile for each affected Prysm Application Appliance. See Disabling legacy Active Directory.

Process for configuring identity providers

Configuring your enterprise identity provider (IdP) to work with Prysm is a process that requires you to complete several steps in your identity provider and in Prysm. When you're done with the entire process, your Prysm users can sign in using SSO and their company-issued credentials.

Warning: The steps below outline the entire process. Several steps of the process include links to step-by-step instructions that you need to complete. It's important that you complete all steps in the process and all the step-by-step instructions. If you don't, you can unintentionally lock all your Prysm users out of their accounts.
ClosedStep 1: Add email domains to your account

Contact Prysm support at support@prysm.com so that they can add your organization's email domains to your Prysm account.

Who performs this task?

Prysm support

ClosedStep 2: Configure your identity provider and Prysm

Configuring your identity provider and Prysm to work together requires the following:

  • Configure your identity provider to work with Prysm.
  • Configure Prysm to work with your identity provider.

Who performs this task?

Your Prysm Org Admin and the admin of your identity provider account should work together on these configuration steps.

Step-by-step instructions:

Select your enterprise identity provider:

ClosedStep 3: Manage user privileges with groups

Groups in your identity provider and in Prysm help you manage users.

  • Create a user group in your IdP and Active Directory, as appropriate.
    Note: For ADFS, Azure AD, Okta, and Ping Identity, you create and manage user groups in their configuration settings. G Suite and Salesforce do not support user groups, so for those providers, you create and manage them in Prysm Admin Portal.
  • Assign a small group of Prysm users to your IdP user group.

Who performs this task?

Prysm Org Admin

Step-by-step instructions:

See Associating Prysm permission groups and identity provider groups.

ClosedStep 4: Do a test conversion of a few users

Convert a subset of existing Prysm users to IdP authentication as a test.

Warning: Don't skip this testing step. If you convert all of your users to IdP authentication without testing, and something in your configuration is not correct, you can lock all users out of their accounts.

Who performs this task?

Prysm Org Admin

Step-by-step instructions:

See Converting user authentication.

ClosedStep 5: Identify users that shouldn't be converted

You might have some users, such as users designed to be automatically signed in to public displays, that you don't want to convert to IdP authentication. You need to manually disable IdP authentication for these specific users so that they will continue to access Prysm using Prysm authentication.

Who performs this task?

Prysm Org Admin

Step-by-step instructions:

See Step 3 in Converting user authentication.

To understand the types of authentication, see User authentication.

ClosedStep 6: Convert all users

After your successful test to verify the IdP configuration and manually disabling any specific users, convert all remaining users to IdP authentication.

Who performs this task?

Prysm Org Admin

Step-by-step instructions:

See Auto Provisioning.

ClosedStep 7: Invite new users to Prysm

Invite your new users to Prysm using a bulk invitation.

Who performs this task?

Prysm Org Admin

Step-by-step instructions:

See Inviting users in bulk

ClosedStep 8: Monitor responses to your invitation

Monitor users who have signed in to Prysm, and resend invitations to users who have not responded.

Who performs this task?

Prysm Org Admin

Step-by-step instructions:

See Resending user invitations

Note: At this time, Prysm does not support initiating sign in to Prysm from an Identity Provider’s web site. For example, Prysm does not yet support signing in directly from the Azure web site at portal.azure.com.
Top