Single Sign-On

Libris allows you to integrate your media library with your company’s single sign­-on (SSO) system for seamless addition of employees to your Invited User list. This makes it so employees can easily login to view and download from your Libris public Portal. With an SSO implementation, it’s possible to distribute your important files company­-wide, without manually adding employees to an address book and without asking them to create a new password for their login.

SSO Adds Users to User Group(s) Automatically

With Libris SSO, you can automatically add employees to a user group as they log in via your Portal. The Administrator and Editor(s) on the Libris account then give this user group permission to view and download galleries as they wish. (You can also hide galleries from this group, such as those containing files that are out of license or unapproved for release.) You have full control over the access you wish to provide to this employee group.

Please note SSO is not for Library Staff or Contributor login. Administrators control who is added and removed to the Library Staff and Library Staff users set their own PhotoShelter passwords for their login.

Is this just for employees?

Our SSO implementation relies on users logging in with an email address in your company’s domain. They don’t have to be employees, but they do have to have an email address in your company’s domain.

Of course, you can add other Invited Users outside of your company's active directory to your account through our normal process. You still have full control over what they can see and download.

Is SSO right for my organization?

Our SSO implementation is created with some of the most widely used (and highly secure) protocols. We’ve created a standard installation that your IT team should be able to implement without much assistance from us. Of course, this assumes that you have an IT team that is capable of the integration.

SSO Product Details

Libris SSO is primarily built around a SAML2 transport layer to perform the login. SAML2 is widely available with directory services used in enterprise environments. The Libris team can provide details for implementation and a test page to verify that your assertions and keys are correctly formatted. Contact librissupport@photoshelter.com if you would like more information about purchasing the SSO add-on for your Libris account.

Supported Transport Layer

●  SAML 2 Transport layer

●  Either SP- or IdP-initiated

●  Requires email address, first name, and last name in the assertion

●  Optional attribute: group (sorts SSO users into different contact groups)

●  HTTPS profile using the POST method

Supported Directory Services

Libris SSO supports the use of any client-side directory service that can authenticate using SAML2. This is a long and constantly expanding list of enterprise directory services. Wikipedia provides a partial list of compatible directory services here. Below are some of the most common services used by our clients:

●  LDAP - many implementations

●  Microsoft Active Directory Service (also known as Active Directory, Azure Active Directory, ADFS, and more)

●  Oracle

●  Shibboleth

●  Okta

InCommon

Libris participates in the InCommon Federation as a Sponsored Partner (listed as PhotoShelter here). We support the following InCommon attributes:

● givenName
● sn
● mail
● eduPersonScopedAffiliation

Contact librissupport@photoshelter.com if you would like more information about purchasing the SSO add-on for your Libris account. We can provide you with a document you can run by your IT Team to see if SSO fits in with your system and capabilities.