An overview of the most frequently asked questions regarding SSO with Canto.
Note: SSO users coming from an idp do not appear in Canto's login reports.
Is it possible to redirect users of the IDP immediately to the Canto Main Library without having to use the regular login page?
If Canto is set to SSO only authentication mode then users wouldn't see Canto’s regular login page. They would immediately be logged in to Canto when opening the Canto URL.
If Canto is set to hybrid authentication mode (Canto + SSO) then all users would see Canto’s regular login page by default.
If you need to forward SSO users to the main library directly without them seeing the login page, please let your users use and bookmark the following URL: https://XYZ.canto.com/sso/saml2bridge.jsp
Note: XYZ needs to be replaced by your tenant’s name. If you are using a canto.global, canto.de or ca.canto.com domain make sure to exchange canto.com.
The same works for Portals: https://XYZ.canto.com/sso/saml2bridge.jsp?url=/v/PORTALNAME
Can you create users in Canto when selecting the authentication mode SSO?
No, this is not possible. New users must be created in your IDP.
Can you edit or delete users in Canto when selecting the authentication mode SSO?
Yes. The edit and delete buttons will still be available with limited functionality. The editing operation is primarily used to set access permissions for portals, workspaces and style guides though.
First and last name: Can be edited which is not recommended though!
Email: Is read-only
Role: Is read-only when roles are managed in your IDP and can be edited if roles are managed in Canto.
Group: Is read-only when groups are managed in your IDP and can be edited if groups are managed in Canto.
Access: Can be edited
If you delete a user in Canto this user will no longer be available, thus giving you a new available seat license. However, the next time this user logs in to Canto, a new Canto user account will be created for this user (if this user still has valid settings in your IDP).
Does every user in the IDP take up a Canto user seat license when selecting the authentication mode SSO?
No, new Canto users will only be created once the IDP user logs in to Canto.
Example: If you have 5000 IDP users but only 45 of them log in to Canto, you would only need 45 user seat licenses.
Will changes to a user in Canto be transferred back to your IDP?
No, changes made in Canto will never write back to your IDP!
Will changes to a user in the IDP be transferred to Canto?
Yes. If a user in your IDP is updated, those changes would be updated in Canto as well the next time this SSO user logs in to Canto.
Will a deleted user in the IDP also be deleted in Canto?
No. Users need to be deleted in Canto manually. You might use the Login History report in Canto to determine the last login date of specific users.
How do I see if a user was created in Canto or originates from the IDP?
Canto offers two login types for users that can be seen under Settings Users & Groups Users.
If a user was manually created in Canto, the login type is Canto. If a user originates from the IDP, the login type would be SSO.
How do I change a former Canto user to a SSO user?
If you have started by creating your users in Canto and enable SSO later users would still be shown as "Canto" users as they have been originally created in Canto, even when they log in using SSO.
If you want to display those users as "SSO" ones, you would need to manually delete them. Next time those deleted users log in to Canto using SSO, they would automatically be created again, but this time with the login type "SSO". As long as the email address is identical to the previous one, all personal data (comments, My Collections, followed assets, reports, metadata etc.) is preserved. Group, Portal, Style Guide and Workspace assignments are not preserved and need to be done again.
Can I use multiple IDPs with a single Canto account?
Yes, please have a look at this article.