Organizations

brightsign bsn cloud admin panel now supports organizations this feature allows you to define and manage organizations invite other users to administer organizations associate and verify ownership of domains setup single sign on (sso) additional features for organizations, including network and subscription management, will be added in the future accessing organizations to access organizations, select get started in the https //adminpanel bsn cloud and log in go to the organizations menu item any user can create or be associated with an organization for management purposes creating an organization to create an organization, click the create organization button to create an organization you will need to enter the following details organization name this will be displayed in the user interface url friendly name this will be auto entered as you type the organization name organization url (optional) this is for information only and is shown on the details screen description (optional) this is for information only and is shown on the details screen when you have entered the required information, select create organization you will then be returned to the organizations page where you will see the list of organizations from here, you can search for organizations by name, or double click an organization to access it tabs double clicking on an organization from the organization list page will display a set of tabs, which show information and allow you to further manage organizations these are described below details tab the details tab shows the information entered when creating an organization, when it was created and last modified , and any domains associated with it members tab the members tab shows the members of your organization that have access to view or manage it here you can invite new members, search for members and remove members, if you have the appropriate access permissions the members shown here are purely for the management of your organization; this has no relationship to the user and role permissions used for bsn cloud to add a new member to manage your organization, invite them by selecting invite member inviting a member to invite a member to manage your organization you will need to enter the following details their email address (this does not need to be from the same email domain) define their permissions by selecting one or more roles you can use the buttons all , view , manage , and delete to select a predefined set of roles , or you can specify them directly by checking the box next to the specified role after entering the invite details, select send invite and an email will be sent to that person they will need to log into the admin panel and accept the invitation via the https //ikb brightsign biz/software/organizations#invitations page , in order to access the organization invitations tab the invitations tab shows the list of members invited to manage this organization that have not yet accepted their invitations here you can invite new members or revoke an existing member if you no longer want them to manage your organization to do this, select the revoke button next to the appropriate member domains tab the domains tab shows a list of associated domains for your organization domains are used by single sign on (sso) to redirect users to your own identity provider (idp) when logging in adding domains to add one or more domains, select add domain , enter the name of the domain, and then select save after clicking the save button you will be returned to the list of domains for your organization for each domain, there is a status column indicating if this domain has been verified domain verification is required to use a domain with sso; it proves that you own the domain select verify to begin the verification process, or delete to delete an existing domain verifying domain ownership to verify a domain, click on the verify button next to it in the domains list the verify domain ownership form will be displayed here you can verify your domain by one of two methods dns verification you must use your existing domain provider (e g godaddy, cloudflare, namecheap) to modify your domains dns entries specifically you must add a new txt record with the name and value specified on the verify domain ownership form when you have added this dns record, click the verify dns record button to complete the process note that dns verification is not always immediate and you may need to repeat this process a few times until the domain is verified http file verification you must upload a file to your web server using the file name and contents specified on the verify domain ownership form when you have added this file to your web server, select verify file to complete the process the domain’s status will change to verified verified in the domains tab w w hen the domain has been successfully verified sso tab the sso (single sign on) tab shows a list of associated identity providers (e g microsoft entra id, okta, cloudflare) used to authorize your users to access bsn cloud combined with a verified domain, sso allows you to use your own identity provider to secure your users instead of the basic user name and password authentication provided by bsn cloud ensure you have created and verified ownership of at least one domain in order to complete setting up sso for your organization setup sso to setup sso you will need to have administrative access to your identity provider (e g microsoft entra id, okta, cloudflare) and you will need access to add a dns entry for your or upload a file to your web server important before you setup sso, create a " break glass " account you should do this because if you enable sso incorrectly you could lock yourself out of the system if you have locked yourself out of your account contact brightsign support for further assistance creating a " break glass " account involves using an email account that is not associated with your sso domain for example if your sso domain is "example com" you should setup an email address like "sso admin example com\@gmail com", any email address that you can access that is not part of "example com" when you have created an external email account to use for the " break glass " account, you must invite that account to manage the organization, as described above in the docid\ snuufrwm8qjxwqdyoab11 section adding an identity provider select setup sso to setup a new identity provider for sso you will be shown a list of identity providers to chose from or you can chose a generic saml, openid, or ldap protocol after selecting one of the above providers or protocols you will be guided through a set of steps relevant to that provider or protocol adding an identity provider (example) expand the example below to see the steps to add a microsoft entra identity provider (this page does not show every identity provider configuration, as the steps are similar across providers) example linking an identity provider to a domain after creating the identity provider you will be returned to the sso tab where you will see the list of identity providers you will notice alongside the new identity provider there is a warning message stating " no domains are associated users may not be able to sign in until at least one domain is linked " this means you need to link one or more verified domains with the identity provider to do this select edit after selecting edit , you will be shown the edit identity provider form where you can enable or disable the identity provider, view the name, and select the domains to be associated with it if you disable the identity provider the system will revert to using the basic user name and password authentication methods provided by bsn cloud select one or more domains to be associated with the identity provider and select save changes you will be returned to the sso tab where you will now see the identity provider marked with one or more associated domains from here, you can delete the identity provider or show details of the identity provider to see the specific details in json format initial user login after enabling sso when you log in after sso has been enabled, you may see the following account already exists form this form indicates that the user logging in via the new identity provider has matched an existing account in bsn cloud (for example, if you have previously been using bsn cloud with a user name or password or used another identity provider such as microsoft entra id or google social logins) you will not see this screen if you are new to bsn cloud you can review the existing bsn cloud profile by clicking the review profile button, or confirm this is okay by selecting add to existing account review profile selecting review profile will display an update account information form with the your email, first name and last name you can make changes here if you need to select submit to continue and it will return you to the account already exists form add to existing account selecting add to existing account will show the link account form you will get an email confirming that it is your email account if the email is not confirmed within the time frame, you will need to start the login process again and re confirm you will receive an email similar to the image below click on the highlighted link to confirm your account and you will be redirected to the website where you will be prompted to select or create a network important information about sso ensure you have created a "break glass" account for use in emergencies see docid\ snuufrwm8qjxwqdyoab11 always test sso before logging out; when you link a domain to an identity provider you should always test that the sso login process works with another user account first before you login out of the current session if the identity provider settings are incorrect and you logout, you may not be able to login again due to the forced redirection process unless you have created a "break glass" account if you make a mistake; identity provider settings cannot be edited at this time, so to correct a mistake you must delete the identity provider, go through the steps again, and then re link the domain if you cannot login after enabling sso, and you do not have a "break glass" account, you will need to contact brightsign support for assistance settings tab the settings tab allows you to change the description and url of the organization you can also delete the entire organization by pressing the delete organization button in the danger zone danger zone section responding to invitations the invitations page allows you to accept or reject invitations to manage other organizations after receiving an email inviting you to manage an organization, you will be directed to this page where you can view the details of the invitation, such as the organization , the inviter and your roles select the appropriate button to accept or reject the invitation