There are multiple authentication mechanisms that can be used to sign into the admin interface.

• Sign in with email/username and password
• Sign in with Google
• Sign in with Microsoft
• Sign in with SAML

To enable sign in with SAML, you must have a Cloud linked to a custom domain name.

Configure SAML settings in the Cloud security settings in the tab named SAML SSO.

Screenshot showing the settings for SAML SSO:

Linking a SAML Identity provider (IdP) to TargetR digital Signage (SP)

Identity providers differ in how they are configured. Below are examples to help configure Google Workspaces and Okta. Other Identity providers follow a similar pattern.

Google Workspace SAML setup

Find Option to Add custom SAML app

Provide App details such as App name and App icon

Copy the SSO URL, Entity ID and Certificate

And paste into TargetR admin interface SAML SSO section

Now copy the SAML SP SSO URL and SAML SP Entity ID and paste into Google Workspaces

Make sure the Name ID format is EMAIL. The email address of users is how TargetR and the IdP link user accounts.

Add the attributes firstName and lastName. They will be automatically read and combined to form the label for new users.

Finally, for Google Workspaces, remember to enable the SAML app for users.

When complete, users can sign in with the new "Sign in with SAML" button:

Okta SAML setup

Sign in to Okta admin and click Add App

Click create New App

Click SAML 2.0

Provide the App Name and icon (according to your own cloud branding)

Copy the SP SAML information from the TargetR admin interface cloud security tab and paste into Okta

Make sure the Name ID format is EmailAddress. The email address of users is how TargetR and the IdP link user accounts.

You may also add firstName and lastName attributes as shown above. This will initialize the user label for new users when no label has been defined.

Tell Okta this is an internal app

On the next screen, click View SAML setup instructions

Copy the SSO URL, Entity ID (IP Issuer) and Certificate...

...and paste into TargetR admin interface cloud security section

Finally, enable the App for users you have configured inside Okta

You can now sign in from Okta or using the Sign in with SAML button.

Implementation information

Users are mapped using the email address. If a user with matching email address already exists inside TargetR, SAML will sign them in to the existing account.

You must enable the Allow new users to register and sign in option to permit users not already configured in the TargetR admin interface to sign in. With this option enabled, a new user will be automatically created when they first sign in with SAML. You can configure the name attributes (as in examples above) to make setting up new users a little easier.

An additional security constraint has been added to prevent a malicious IdP allowing any user to sign in as another user. Users will only be signed in to the cloud that is assigned to their user account. This restricts a user to being only able to sign in to a single domain name.

A user can still have a password assigned to them for manual account access. This can be important if the IdP is unavailable, or user wants to sign in to another cloud.

Second factor authentication can not be enabled in addition to SAML. Disable TargetR 2FA to use SAML.

Remember that by enabling SAML, you are trusting the security of the IdP. All users with a matching cloud also must trust the IdP.