📌 Note: This feature is only available on our Enterprise or Network plans. For help adjusting your plan please contact support at [email protected].
NationBuilder's new login system brings an ever greater level of security, customizability, and control to your nation, including:
Multi-factor authentication with enforcement options for control panel users and supporters
Social sign-in with Google and Microsoft
Options to customize your login screen without having to modify your website
Option to allow or disallow your website visitors to create accounts
Single sign-on (SSO), which can be used alongside the previous options or on its own
To take advantage of these new features, you will need to migrate from our legacy SAML SSO integration to our new SSO offering.
NationBuilder's new SSO system allows you to integrate your nation as a service provider with the following identity providers:
Entra ID
Google Workspace (using OIDC)
Keycloak
Microsoft Active Directory Federation Services (ADFS)
Okta Workforce Identity (using OIDC)
PingFederate
Generic OIDC
Generic SAML
Where to start
Contact your Enterprise Account Manager (EAM) about migrating to our new SSO system. Your EAM will coordinate with our engineering team to prepare your nation to migrate and will send you a link where you will be guided to connect your identity provider using our SSO setup assistant.
Note: Your permission set must have access to the Settings section of the control panel and you must have the "Manage authentication" permission to use these instructions.
1. Click on the Connect your SSO provider button.
2. You will see instructions and a link that will open the SSO setup assistant in a new browser tab.
3. After you click on Get Started, you will see the Identity Provider options. Each one has a distinct set of steps through which the assistant will guide you. Note: Please make sure to create a new application as described in the instructions. Please do not re-use and edit your existing setup.
4. One of the steps will involve Claims or Attribute mapping. Our default mapping is as follows:
First name:
given_nameLast name:
family_nameEmail*:
email(this field is required)
If you are unable to map these fields in your identity provider, please contact your Enterprise Account Manager or Implementation Manager for other options.
5. After you've completed all of the steps in the assistant, including testing your connection and enabling your provider, you may close this tab.
6. Return to the original link you were sent by your Enterprise Account Manager and refresh the page. If your SSO provider is connected, you will see the option to edit the name, which will display on the button on the login screen after the words "Continue with", and the default permission set of newly provisioned users, if you choose to give them access to the Control Panel.
7. After you are satisfied with the configuration of the SSO provider, contact your Enterprise Account Manager who will coordinate with our engineering team to switch your nation over to the new login system. Your users' existing identity mappings will be brought over to be used with your new SSO configuration, so you do not need to set those up again.
Login screen configuration
Once your nation has been switched over to the new login system, you will see your new SSO provider on your login screen.
If you want to restrict your users to logging in with your SSO provider only, you may choose to disable the other login methods, including social logins and email & password login, on Settings > Login and security > Login and security.
Learn more about customizing your login page's colors and branding, the available social login options, and more.
Related HOWTOs