Screendragon Single Sign-On (SSO) & SCIM User Provisioning Integration Guide

Introduction

Single Sign-On (SSO) enables users to authenticate seamlessly into Screendragon using their organization’s existing identity provider (IdP). This ensures frictionless login, stronger security, centralized identity management, and reduced administrative overhead. Screendragon supports standard SAML 2.0–based SSO, the widely adopted enterprise protocol for secure authentication across cloud platforms.

This article outlines how SSO is implemented with Screendragon, the SAML setup approach, attribute mappings, access controls, and considerations for identity consistency.

SSO Integration Overview

Screendragon acts as the Service Provider (SP) in a SAML integration, while your organization’s identity provider (IdP), such as Azure AD, Okta, ADFS, Ping, or OneLogin, handles authentication.

Once configured:

• Users log in via your corporate identity system.
• A validated SAML assertion passes identity attributes to Screendragon.
• Screendragon authorizes access based on matching user records and your chosen access model.

This reduces password fatigue, centralizes security policy enforcement, and supports enterprise‑scale governance.

Standard SAML 2.0 Setup Approach

Screendragon follows an established and streamlined SAML setup workflow:

Step 1  Screendragon Provides SP Metadata

We will supply the client with Screendragon’s Service Provider (SP) metadata, which typically includes:

• Entity ID
• Assertion Consumer Service (ACS) URL
• Certificate information
• Binding types

This metadata allows your IdP administrator to configure Screendragon as a trusted SAML application.

Step 2 Client Provides IdP Metadata

Your team must provide your Identity Provider (IdP) metadata, usually as either:

• A metadata XML file, or
• A metadata URL

This defines how Screendragon should communicate with your IdP, including:

• IdP Entity ID
• Single Sign-On URL
• Signing certificate

Step 3 Define SAML Attributes

The IdP must send a consistent set of user attributes in the SAML assertion.

The standard Screendragon attributes are:

• User ID
• First Name
• Last Name
• Email Address

Important Note on User ID Consistency

The User ID can be mapped to any attribute in your IdP (e.g., Employee ID, Username, Email).

However:

• It must remain consistent, and
• If Screendragon ingests users via bulk import or API, the User ID in SSO must match the User ID in your ingest template.

This ensures correct user matching and prevents duplicate accounts.

Step 4 Select Your Access Control Model

Screendragon supports two approaches for granting access through SSO:

1. Pre‑Provisioned Accounts Only (Recommended)

Only users who already have an account in Screendragon are allowed to log in.

• If a user attempts login without a matching account, access will be denied.
• They will see a message instructing them to contact an administrator.
• This allows full control over permissions, groups, roles, and onboarding workflows.

Recommended for all enterprises, especially those with structured permission models.

2. Auto‑Create Basic Accounts for Any SSO User

Any authenticated SSO user can enter the platform.

• Screendragon automatically creates a basic account on first login.
• No permissions, groups, or roles are assigned automatically.
• Admins must manually configure the user afterward.

This option is less secure and best suited only for open-access environments.

SCIM-Based User Provisioning (Automated Lifecycle Management)

What SCIM Provides

• Automated user creation

When a new employee joins, your IdP can create their Screendragon account automatically.

• User updates

Changes to user profile fields (e.g., name, email, department) sync automatically.

• Automatic deactivation

When a user leaves your organization, SCIM can disable their Screendragon account, ensuring access is revoked instantly.

• Role & group mapping (if configured)

Depending on IdP configuration and Screendragon’s setup, groups can be used to assign roles, permissions, or team memberships.

Typical SCIM Workflow

1. User is created or updated in your IdP (Azure AD, Okta, etc.)
2. IdP sends SCIM API calls to Screendragon
3. Screendragon updates/creates/deactivates the user Record
4. User ID must match what is used for SSO authentication
5. Permissions can be mapped manually or via SCIM groups (depending on configuration)