Notice: As of January 2017, we recommend using our SAML 2.0 Service Provider Configuration instead of Incoming SSO. Support for Incoming SSO will be removed at some point in the future.


When you enable Incoming Single Sign-On, only Users that already exist will be able to log into the Channeltivity partner portal. While you could manually create new Users in Channeltivity whenever you create one in the "Originating System", the best way to handle this situation is by creating Users using the Channeltivity Data API as part of your SSO process. 


Let's assume that there's a jump page in your external application (the "Originating System") that performs the SSO magic and then redirects your users into Channeltivity. Here's what this page should do -- using plain English and the example of John Doe (jdoe@example.com) from Example Inc.:


  1. Call the Channeltivity Data API ("the API"): Is there a User with the email address jdoe@example.com? 
  2. If yes, go to step 8. Optional: update the User's profile with data from the Originating System.
  3. If John Doe doesn't exist, call the API: Is there an Organization that's associated with the domain example.com?
  4. If yes, go to step 6. Optional: update the Organization's profile with data from the Originating System.
  5. If the Organization doesn't exist, call the API to create "Example Inc." as a new Organization and associate it with the domain "example.com."
  6. Call the API to create the User "John Doe, jdoe@example.com" and associate it with the "Example Inc." Organization.
  7. Call the API to get a list of all Groups (used for permissions) and then call it again to make John Doe a member of the Groups you choose.
  8. Continue the SSO process by creating a session key and storing it within your system.
  9. Redirect to Channeltivity passing the User's email address and session key.

Tips:
  • You may want to set up your own email notifications that get sent whenever a new User or Organization is created.
  • You'll have to have a way to handle Ignored Email Domains (e.g. gmail.com, hotmail.com) in your code.

Make sure to check out the Incoming Single Sign-On docs for context and the Seamless Invalid Session Handling with Incoming SSO for more best practices.