In this Article
Authentication vs single sign-on
Authentications and single sign-ons (SSOs) are both ways of leveraging data that you already have to make the experience of using your website easier and smoother for both visitors and site administrators.
- An authentication is the connection between another service and Finalsite.
- Users log directly into Finalsite using the credentials from the other service.
- An SSO is the connection between Finalsite and another service.
- Users to log directly into the other service from Finalsite. Read more in the article, Single sign-on overview.
Authentications and SSOs are maintained in Integrated Services Manager found in the module menu.
A full list of the authentication options we provide can be found below:
Finalsite authentication
Read the article, Finalsite authentication to learn more!
Full list of authentication options
Senior Systems
With a Senior Systems integration, we can also configure authentication with Senior Systems so that users can log into Finalsite using the credentials housed and managed in Senior Systems. This is configurable per role.
With the Authentication configured, you can use “deep links” to land users in various sections of MyBackpack in Senior Systems. A full list of these targets is available from Senior Systems.
These deep links will serve to land the user, authenticated, in MyBackpack from a link in the Finalsite portal.
Veracross
We offer an option that will allow your users to log into Finalsite via Veracross. This is a redirect authentication that will send users in roles set to use Veracross Authentication to Veracross to log in, and then redirect back to Finalsite.
To use this option, you will need to configure an OAuth application in Veracross (detailed steps can be provided at time of deployment). We will also need to enable staggered login in Finalsite. “Staggered,” meaning that the username and password fields are on separate screens rather than having both fields displayed together and submitted with a single “log in” button.
Blackbaud Education Management
Schools with Blackbaud Education Management integrations can allow users to log into the website using their Blackbaud usernames and passwords. When Blackbaud Authentication is activated, your users log in to Finalsite via Blackbaud in two ways:
- A link pointing users to “Login with Blackbaud” on your login page.
- A “Staggered Login” so that users will enter their username directly in Finalsite.
If that user is configured to authenticate with Blackbaud, they will be redirected to BLackbaud for authentication.
In either scenario, once the user is redirected to Blackbaud for authentication, then:
- IF THEY ARE LOGGED INTO BLACKBAUD ALREADY, they will be immediately authenticated in Finalsite and land on the appropriate portal
- IF THEY ARE NOT LOGGED INTO BLACKBAUD ALREADY, they will be redirected to the Blackbaud login page where they can enter their credentials. If the credentials are valid, they will be redirected back to Finalsite and land on the appropriate portal.
Once logged into Finalsite this way, the user is authenticated in both systems. This means that users who click links from the Finalsite portal to protected areas of Blackbaud would land on the appropriate page, without having to login again.
Important Note
It is important to note that when using staggered logins, ALL users in the roles that login via Blackbaud will need to have their own Blackbaud account. Users in these roles who ONLY have Finalsite accounts (and not Blackbaud accounts) will not be able to login.
The setup for this is documented by Blackbaud here: https://developer.blackbaud.com/skyapi/apis/school/sso-tutorial. Your deployment specialist will provide you with more detailed steps if you are configuring authentication via Blackbaud.
Finalsite offers an Authentication option allowing users to log in with their Google Account. This is detailed in the article, Google Authentication.
LDAP Authentication
An LDAP (Lightweight Directory Access Protocol) server synchronizes each user’s password across multiple databases, such as your student information server, your campus email system, and your Finalsite website. LDAP integration is an easy, reliable process for allowing some or all of your constituents to log into various school systems, including your Finalsite school website, using the same username and password provided by your domain’s LDAP server.
ADFS Authentication
Finalsite has recently added a way to allow constituents/users to authenticate into Finalsite using your in-house ADFS system as the Identity Provider. This is configurable by admin group or constituent role, so there is some flexibility in how your users will authenticate. This is done using a SAML 2.0 connection.
Azure Authentication
Working in tandem with the Azure Integration we offer a SAML-based authentication option that can be configured to allow constituents and/or admins to log into Finalsite via Azure Active Directory.
SAML Authentication (General)
If you prefer to manage access for constituents and/or admin users with your own identity provider (IdP), Finalsite offers a SAML authentication method that can be used for this purpose. Most common IdPs support configuring Finalsite as a service provider in this way.
Using a SAML authentication allows you to redirect users to your own login pages for your IdP, and also allows you to implement any authentication protocols you may enforce, including two-factor authentication and password requirements. This can be configured in Finalsite per admin group or per constituent role.
As a prerequisite for this integration, the usernames in Finalsite need to match an attribute on the IdP side to ensure the connection works reliably.
SAML Authentication also supports Single-Logout that is service provider-initiated and uses the Redirect method.
- It is important to note that SAML authentication will be limited to sign users into a single domain for your website. If your organization is hoping to have users sign into several domains, we recommend another authentication option that works across multiple domains, such as LDAP Authentication or Google Authentication.
Comments
Please Sign in to leave a comment if you don't see the comment box below.