📌 Note: This feature is only available on our Enterprise or Network plans. For help adjusting your plan please contact support at [email protected].
Where to start
Single sign-on (SSO) allows you to give members of your team one account to sign into all the systems your organization uses. NationBuilder allows you to integrate your nation as a service provider with the following identity providers:
Entra ID
Google Workspace (using OIDC)
Keycloak
Microsoft Active Directory Federation Services (ADFS)
Okta Workforce Identity (using OIDC)
PingFederate
Generic OIDC
Generic SAML
Your permission set must have access to the Settings section of the control panel and you must have the "Manage authentication" permission to use these instructions.
Set up a new SSO provider
Go to Settings > Login and security > SSO > New SSO provider. If you do not see the SSO option in the Login and security settings, contact your Enterprise Account Manager to have single sign-on enabled. Your nation must be on the Enterprise or Network plan to use this feature.
1. Enter the provider name. This name will appear on the login screen button after the words "Continue with" and must be 100 characters or fewer.
2. You have the option of giving new users access to your control panel. If this option is set to None, new users signing in through your identity provider will only be able to access areas of your public website; they will not have access to your control panel. Since this option provides the same level of access to your control panel for all new users, you also have the option of mapping IDs within profiles in advance and specifying different permission sets for each user.
3. Click the Save button to save your SSO provider.
Now that you've created your SSO provider in NationBuilder, you will be guided to connect your identity provider using our SSO setup assistant.
1. Click on the Connect your SSO provider button.
2. You will see instructions and a link that will open the SSO setup assistant in a new browser tab.
3. After you click on Get Started, you will see the Identity Provider options. Each one has a distinct set of steps through which the assistant will guide you.
4. One of the steps will involve Claims or Attribute mapping. Our default mapping is as follows:
First name:
given_nameLast name:
family_nameEmail*:
email(this field is required)
If you are unable to map these fields in your identity provider, please contact your Enterprise Account Manager or Implementation Manager for other options.
5. After you've completed all of the steps in the assistant, including testing your connection and enabling your provider, you may close this tab and return to your nation.
6. Your new SSO provider will now appear on your login screen.
If you want to restrict your users to logging in with your SSO provider only, you may choose to disable the other login methods, including social logins and email & password login, on Settings > Login and security > Login and security.
Edit identity mappings in a profile
Once an identity provider is created in the Settings section, profiles in your people database will include a new section to view and edit identity mapping.
The "Identity mappings" section of a profile will include space to insert a unique identifier for each provider created in the Settings section. This will allow you to complete the integration process if you are not using just in time provisioning. Having access to a profile's identity mappings also allows you to specify different permission sets for people, rather than providing the same permission set for all control panel users logging in with the identity provider.
Please note that a user must already exist in your identity provider. Inserting a unique ID in a NationBuilder profile will not create that ID in your SAML SSO provider.
Import identity mappings
Identity mappings can be added to profiles by importing them in a one-time import or a voter import after an identity provider is created and confirmed in the Settings section of the control panel.
To confirm your new identity provider after you have created it, go to Settings > Login and security > SSO and click on the Edit link next to your provider. Viewing the provider will ensure that the connection has been synced with your nation. Make sure that the provider is set to Enabled. When you return to the main SSO tab, you will see Enabled as the status next to your provider. Now you are ready to import your identity mappings.
The identity mapping connects a profile to an identity provider, but it is not a unique identifier for a NationBuilder profile. This means that when you import identity mappings, you must import an additional unique ID.
If you are using the email attribute as your name identifier format in your identity provider, you could duplicate the email address field in your CSV and then map the email address field twice: first as the signup email address, then within the SSO Identity Mappings category, to the field labeled for a particular identity provider.
Filter by identity mappings
Once an identity provider is created in the Settings section of the control panel, a new filter category will appear in the People section. Select "SSO identity mappings," then select "External user identifier." A row will be added to your filter criteria. You will have to select a particular identity provider to search within. Then, you can search whether the external user identifier:
is [text field to enter criteria]
contains [text field to enter criteria]
does not contain [text field to enter criteria]
starts with [text field to enter criteria]
ends with [text field to enter criteria]
exists [select yes or no: "yes" to search for profiles that contain an identity mapping for that provider; "no" to search for profiles that do not contain an identity mapping for that provider]
Related HOWTOs