Does Uncommon Giving support workplace single sign-on (SSO)?

Your employees can easily log into their Uncommon Giving accounts using your organization's SSO!

Here are some details on how SSO works with the Uncommon Giving (UG) application, and what you'll need to configure on your end within your IdP.


Overview


The Uncommon Giving application supports IdP-initiated SSO for both workplace admins and employee giver accounts. Employees will need to be added to the roster and sent invitations using the standard workflows within UG that exist today - this allows you to control (from the UG application side) which of your employees are able to SSO into UG. Employees will need to accept the invitation and go through the standard account creation process to create their Uncommon Giving account and join it to your workplace.


Once created, employees will be able to sign into UG using their username and password *or* through the SSO link you'll provide through your IdP. Employees who are archived on the roster will not be able to use SSO, but they will still be able to sign in to UG using their username and password (operating as a standalone account, no longer in the context of your workplace).

Configuration

1.     (Client) Register a new SAML application within your IdP using the following values (these values aren't sensitive, and are specific to your workplace):
    • Single Sign On URL:
      • https://api.uncommongiving.com/api/v2.0/workplaces/workplace/PLACEHOLDER/sso/acs
    • Audience URI (aka SP Entity ID):
      • https://api.uncommongiving.com/api/v2.0/workplaces/workplace/PLACEHOLDER/sso/acs
    • Name ID format:
      • Email Address
    • Configure the following named user attributes (matching the corresponding identity values from your IdP):
      • FirstName
      • LastName
      • Email

2.     (Client) Depending on your IdP, you may also need to grant access to the SAML application to your employees so that it appears when they log into your IdP.  This is a mechanism you can use (within your IdP) for controlling which of your users are able to access UG - only users who've been granted access within your IdP will see the UG application on their dashboard/gallery.


3.     (Client) Once registered, locate your SAML application's metadata URL and send it to Uncommon Giving (it's not sensitive).  The metadata URL should return a response similar to this (xxxxx are placeholder values that will be specific to your IdP and SAML application):

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="xxxxxx">
    <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>xxxxxx</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="xxxxxx"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="xxxxxx"/>
    </md:IDPSSODescriptor>
</md:EntityDescriptor>

4.    (Uncommon Giving) After providing metadata URL to UG staff, our team will enable SSO for your workplace, using the metadata URL provided by you.


5.     (Client) Within UG, add employees to the roster and send out invitations.  Invitations sent by UG will instruct users to create their accounts and join your workplace (standard functionality that exists today).

6.     (Client) When users sign in to your IdP and click the "Uncommon Giving" SAML application link, they will be redirected and automatically signed in to UG.  Employees will arrive on your workplace profile landing page and admins will land on the workplace overview page.

 

You can proceed with steps 1, 2 and 3 after your workplace is provisioned and we will enable SSO for your workplace when we receive your metadata URL.

 

If you have any questions or need more information, please let us know!