Single Sign-On (SSO) is a secure authentication method that allows users to access multiple applications with a single login credential. With SSO, users do not have to remember different usernames and passwords for each application. Instead, they can sign in once and access all their authorized applications.
FastBound believes Single Sign-On (SSO) is a fundamental security requirement for all organizations, regardless of size. SSO simplifies user authentication and account management by integrating with existing identity providers, which is crucial for IT and Security teams, especially when managing access across multiple applications. While many SaaS vendors limit SSO to expensive “Enterprise” tiers, we offer SSO at no additional cost, ensuring robust security is accessible to all. For more insights on the importance of making SSO accessible, visit SSO.tax.
SAML SSO with FastBound
Signing In
Once enabled, your organization will receive a convenient link for signing in with SSO, which can be bookmarked or linked to. Use this link if your Identity Provider (IdP) supports a Start URL.
FastBound will set a first-party cookie every time a user successfully signs in with SSO. This cookie will display a panel above our standard login form, reminding the user that your organization uses SSO with a “Sign on with YOUR_ORG” button.
Registering New Users
New users need only browse to the convenient SSO link provided. FastBound will block registration attempts with an email address ending in your domain name. Users will receive an email informing them that you use SSO, with a convenient link for signing in.
Password Resets
Users must contact their organization for assistance with password changes, recovery, or resets. FastBound will block password reset attempts with email addresses ending in your domain name, and users will receive an email reminding them that your organization uses SSO with a convenient link for signing in.
Existing Users
When users have previously created FastBound user accounts with email addresses ending in your SSO domain name, we can convert those into SSO accounts, preserving existing settings and permissions. Contact the FastBound support team for assistance.
When a user authenticates via SSO, FastBound’s Time-based One-Time Password (TOTP) Two-Factor Authentication (2FA) will be disabled, delegating the responsibility of 2FA to the Identity Provider (IdP) to ensure a consistent and secure authentication experience across different services.
Enabling SAML SSO
Setting up SAML SSO with FastBound is almost as easy as signing in with SAML:
-
Import FastBound’s SAML 2.0 Service Provider (SP) Metadata file.
-
Send your SAML 2.0 Identity Provider (IdP) Metadata to FastBound support, including the fully-qualified domain names (FQDN) for which your Identity Provider (IdP) is an authority. FastBound uses the fully-qualified domain names (FQDN) provided to guide your users during registration and password reset attempts. Let support know if you intend to manage user-account permissions in FastBound or with SAML Attributes.
Our Service Provider (SP) Metadata file specifies:
-
SPSSODescriptor: We only support SAML 2.0. AuthnRequests from FastBound, the Service Provider, will not be signed. Assertions from you, the Identity Provider, must be signed.
-
NameIDFormat: FastBound requires persistent, unique identifiers.
-
AssertionConsumerService: FastBound only accepts HTTP-POST requests sent to our Assertion Consumer Service (ACS) URL, which is
https://cloud.fastbound.com/sso/saml2/acs
Required Attributes
-
Subject Assertion Attributes from your Identity Provider (IdP) must contain a
NameIDor aBaseID. -
At least one Subject Assertion Attribute (it doesn’t matter which one) must contain a valid Internet email address as an email address is required for notifications, inviting users to existing accounts, and electronic transfers.
Optional Attributes
FastBound supports several SAML attributes for managing users and account permissions in FastBound.
-
Attribute names are not case-sensitive.
-
If you supply first or last name via attributes that vary from what the user has entered in their user profile, their profile will be updated each time they SSO.
|
Attribute Name |
Attribute Value |
|
|
User’s First Name |
|
|
User’s Last Name |
|
|
A numeric bitmask representing the user’s permissions for account XXXXXX. Multiple attributes are allowed but each attribute can have only one value. |
Account Permission Attribute Notes
-
If you want to manage authorization with assertion attributes, FastBound support must enable this for you; otherwise, account permission attributes will be ignored by default.
-
If FastBound receives multiple permission attribute values, that permission attribute is ignored completely out of caution.
-
You can prepend
account_XXXXXXattribute names with anything (i.e.,store202settingsuser_account_XXXXXX) so long as the attribute name ends withaccount_XXXXXX. -
If you use permissions attributes, Settings > Users in FastBound will be view-only.
Permissions Bitmask
Bitmasks convey multiple on/off settings or flags as a single number. Permissions are combined by adding numbers.
|
Value |
Permission |
|
1 |
Create Acquisition |
|
2 |
Commit Acquisition |
|
4 |
Create Disposition |
|
8 |
Commit Disposition |
|
16 |
Download Contacts |
|
32 |
Item Edit |
|
64 |
Item Inventory Control |
|
128 |
Item Download |
|
256 |
Create Bound Book |
|
512 |
Form 4473 |
|
1024 |
Contact Status |
|
2048 |
Account Settings |
|
4096 |
Download Bound Book |
|
8192 |
Create Multiple Sale |
|
16384 |
Dismiss Multiple Sale |
|
32768 |
Transmit Multiple Sale |
Examples
-
0 represents no permissions
-
65535 represents all permissions
-
8772 (4 + 64 + 512 + 8192) represents Create Disposition, Item Inventory Control, Form 4473, and Create Multiple Sale permissions