Single-sign on (SSO) is an authentication method allowing users to log into multiple resources using one set of credentials. Prezi features SAML SSO that significantly improves the ease and security of User Management for your team.
Setting up SAML SSO
You must be the Team Admin in Prezi and also have the right to manage your SAML SSO Provider settings in order to set up SAML SSO for your Prezi Team.
First of all, you will have to enable SAML SSO for your team or organization. After validation (sign out and sign back in with SSO), you will be able to enforce it to all your team members.
General SAML configuration
To manually configure your SAML app please follow this list of required configurations:
1. Configure app claims. Prezi requires three claims to be passed:
Email as SAML NameID
First Name as given_name
Last Name as family_name
2. In your IdP set Audience to be https://prezi.com/ and Single sign on URL (or ACS) to https://prezi.com/complete/saml/
3. Download Certificate (Base64) and copy its content to team admin Certificate (X.509) field.
4. Copy IdP Entity ID, also known as IdP Issuer to team admin Identifier or issuer URL field.
5. Copy Single Sign On URL to team admin SAML 2.0 Endpoint (HTTP) field.
Enabling SAML SSO:
1. Log in at Prezi.com with your Team Admin account and go to “Admin Console".
2. From the “Admin Console”, click the “Settings” tab.
3. Navigate to the “SAML Single Sign-On” section and use the switch to enable SSO.
4. Fill out the required information that you can get from your SSO Provider. To receive this information from the provider, you will be asked to share some data. We've provided this data with “Copy” buttons next to the fields for ease of use.
5. Click “Save” after you have filled out all fields.
6. Test SAML SSO. Log out from your account and log in by using SAML SSO this time.
Enforcing SAML SSO:
Use “Enforced SAML SSO” to set this as the only authorization method for your team members. The option can only be enabled after successfully enabling and testing SAML SSO authorization.
1. Visit the SAML SSO section of the "Admin Console" again.
2. Enable “Enforce SAML SSO” by ticking the box next to it.
After a double confirmation, all your Team Members who haven't used SAML SSO to log in at Prezi.com will be logged out. They will have to log back in, but this time by using SAML SSO.
Disabling SAML SSO for your team
To disable enforced SAML SSO, go back to the SAML SSO section of the "Admin console and untick the box next to "Enforce SAML Single sign-on".
To disable SAML SSO altogether, use the switch next to "Use SAML Single sign-on" You will have to verify this action in a pop-up window before finalizing the step.
Please know that team members can only use the SAML SSO authorization method while it's enforced. Once it is disabled, users will be able to use any other authorization method that is associated with their email, including SAML SSO if it's still enabled (even though not enforced).
Before disabling SAML SSO, please read the below information on how this will affect the above-mentioned two groups of team members.
1. Members who used other authorization methods before Enabling SSO, such as Facebook, Google or email: After disabling SAML SSO, these users will be able to log in at Prezi.com with their other authorization method. No email will be sent to this group to inform them about the changes.
2. Members who were added through the SAML SSO provider without any other authorization method in place: Once SAML SSO is disabled, Prezi will send an email asking these users to create a password for their new account. After doing so, users will be able to log in again with the same email address and the new password. Users will also be able to create their new password manually by using the regular "Reset password" flow on the login page.