ArcSite provides a generic auth provider for SAML2 based authentication, which allows Admins of an ArcSite company account to manually configure any SAML2-enabled IdP system.

Documented below are the setup steps and an "end user" troubleshooting section.

You can access these SSO options from Settings > Identity section on the ArcSite User Site. Note: You will need to have Admin level permissions in order to access.

Domain verification verifies that the domain associated with your email belongs to your organization. Domain verification is required to enable SSO.

Subdomains and top-level domains are verified separately and explicitly. It is not possible to verify a top level domain and all its subdomains with a single domain verification entry.

For example, if you wish to enable SSO for users with email addresses on both the top-level x.com domain and the y.x.com subdomain, you must complete the domain verification process twice.

Under the Settings > Identity > Domain Management section on the ArcSite User Site, click on the Verify a new domain button to add and verify each domain you’d like to use with SSO.

For example, if your company email address is employee@company.abc, please enter "company.abc."

Once you have Submitted the information, you will be presented with the Manage Domain dialog. From there you can copy the listed value and paste it as a TXT record with your DNS provider.

After doing so, come back to this Manage Domain dialog and click the Check button to complete the verification.

If your company has been verified and added successfully, the status will display "Verified."

The Configure SAML SSO section contains a number of different required settings as described below. You can access these settings from the Settings > Identity > SSO section on the ArcSite User Site.

Single Sign On

This option must be toggled on to enable anyone using email addresses with a verified domain to log in via SAML SSO.

Register IdP with ArcSite

Allows you to provide the contents of the IdP’s generated metadata file. Those include basic SAML configuration such as; identifier, login url reply url.

Once the contents are pasted and submitted, ArcSite will register your IdP.

To use, click the Submit IdP Metadata button and paste your data into the provided entry field and click Submit.

Register ArcSite with IdP

Download the metadata for your Service Provider (SP). You'll need to upload this file to your Identity Provider to establish the trust relationship.

Map Identity Provider Attributes

Here, the field values of ArcSite members need to be matched up with the corresponding values for members in the IdP.

The basic required fields are the IdP's User ID and email address, but ArcSite can also optionally pull first and last name values from there as well.

Consult your Identity Provider’s documentation for the appropriate keys.

Those mapping fields are:

​Test Single Sign-On

Test to see if single sign-on is working. Testing users must be added to your Identity Provider before they can sign in.

NOTE - Please open the test link in a new window to avoid your account being logged out enforced.

There are certain contexts and cases where you or your end user can run into errors in regards to SSO. Those common cases are listed below along with potentials solutions.

End User Error message

"Your company has no more available licenses. 
Contact your admin to increase your license count."

Issue

Once all available licenses are in use, the next user attempting to log in will be unable to do so.

Solution

There are two ways to work around this issue.

End User Error message

"The account “xxx@abc.com” exists but is not created through SSO, please log in via email and password. If you want to be added to your company's SSO, contact your admin for help."

Issue

When SSO is enabled, any accounts created outside of that framework will not work for credentialing purposes.

End User Error message

"No company is configured for SSO with the provided email domain."

Issue

A email domain must be verified as part of the SSO enabling process.