4 Single Sign-On (SSO)
New users can be invited to OneInsight via the admin interface. They will receive a welcome email as shown in section 1.1 that forwards them to pages where they can set their new password and log in to OneInsight. Please note that Single Sign-On users do not need to be invited because they will be automatically created the first time they log in.
For additional security, Multi-Factor Authentication can be enforced on a per-user basis. This requires a user on an unknown device to enter an additional code that is sent via a text message.
New or existing users can be added to groups or assigned roles. The difference between groups and roles is explained in sections 2 and 3.
OneInsight will show you a list of all roles that are currently defined. One or more permissions can be assigned to users. Roles define what permissions a specific user is granted to perform specific tasks in OneInsight. The list of permissions currently include:
- Show Marketo configuration, such as seeing the REST API credentials from Marketo, the smart list id and landing page domain
- Update Marketo configuration
- Show a list of all campaigns in the admin interface
- Add new campaigns and link them to a campaign in Marketo
- Update existing campaigns in the admin interface, e.g. their name, description or tokens being used
- Delete campaigns in the admin interface
- Run campaigns for individual people
- Show a list of all roles in the admin interface
- Create new roles in the admin interface
- Update existing roles in the admin interface
- Delete roles in the admin interface
- Show all groups in the admin interface
- Create a new group in the admin interface
- Update existing groups in the admin interface
- Delete groups in the admin interface
- Show all users that can currently access OneInsight
- Create non-single sign-on users
- Update attributes of existing OneInsight users
- Delete users
A user’s permissions can be controlled by using roles (as described in section 1.4.2). You can either assign roles to a user directly or assign roles to groups for more complex permission allocation. A user permissions are calculated at every login into OneInsight based on the roles and groups the user is assigned to.
Groups also allow admins to specify the people (i.e. leads) that a user can see. The visibility can be set for any Marketo field, so that some users, for example, might only be able to see people from specific countries. These visibility fields can be set up globally. Please contact OneInsight Support for assistance in setting up visibility fields.
Each user is assigned a “default” group that can be modified, but not deleted. This group can be assigned permissions or visibility rules for new users (Single Sign-On or regular users). For Single Sign-On users, the identity provider, e.g. ADFS, can also send a “groups” claim to Marketo to automatically assign users to other groups. The groups sent from the identify provider are only temporary and are re-evaluated every time a user logs in. These temporary groups are therefore not shown in the list of groups currently assigned to the user.
4 Single Sign-On (SSO)
OneInsight supports Single Sign-On using SAML protocols (support for additional protocols will be added in a future release). Users can log in to OneInsight using the service provider or the identity provider initiated flow.
Please contact OneInsight Support for further instructions on how to setup Single Sign-On.