Aurora: Multi-Auth SSO
Communities require diverse authentication methods to accommodate varying member segments like employees, customers, etc.Admins can offer multiple sign-in options simultaneously, providing enhanced flexibility. These options include: Khoros SSO Up to three IDPs for SAML More than three IDPs for OIDC/OAuth2 (OIDC can be configured via admin only) To edit these settings, go to Settings > Systems > ACCOUNT > Sign-in. If Sign-In Display is not displayed, contact Khoros Support and request that the Multi-Auth feature be enabled. Edit the Sign-In Display option to configure the sign-in options you want to provide your members and how you want to display the sign-in options. Below is an example on the list of sign-in options you can configure. From here, you can: View all available sign-in options for your community. Add a welcome note that is displayed to users on the sign-in page. Turn on or off the sign-in options you prefer. Edit the labels of the sign-in buttons. Rearrange the order in which the sign-in options appear on sign-in pages. Choose to display the sign-in options as buttons for member sign-in. If you select the Display as sign-in button option, members see a sign-in button. If you de-select this option, members see a sign-in form instead. Related topics: About Khoros Aurora Single Sign-On (SSO) Khoros Aurora SSO auto-sign in Configure SSO settings for the community214Views3likes0CommentsAurora OpenID Connect/OAuth 2.0 setting descriptions
This article describes all the OIDC- and OAuth2.0-related settings within Settings > System > Account > OIDC/OAuth Providers. If OIDC/OAuth Providers and its subsections are not displayed in the panel on the left, contact Khoros Support and request that the OIDC/OAuth feature be enabled. Learn more about the OIDC/OAuth 2.0 feature. Provider Information Name: Desired name to label this provider within the settings. ID: Desired ID to give to this provider. This ID is used within the Sign-in URL and Registration URL that are defined in Settings > System > Account > Single Sign-On (SSO). Client ID: The Client Identifier used to validate against the authorization server. Client Secret: The Client Secret used to validate against the authorization server. Authorization URL: The authorization endpoint which will return either the authorization code (Authorization code flow) or the ID token (implicit flow). Response type: Community only supports the Authorization Code flow; code is the default value for Authorization code flow. Scope: Defines what access privileges are being requested. To use OpenID Connect requests, openid value must be used. If supported, other scope values may be profile, email address, address, and/or phone. The scope defined here will determine which Claims are returned from either the ID Token or User Info endpoint. Multiple values input here must be separated by a comma. Add Static Parameters: Add any additional parameters that should be sent with the authorization URL during sign-in by clicking Add Parameter. You must enter the Key and Value. This can be used for passing optional parameters such as max_age, claims, etc. Persist parameters: When enabled, any query string parameters passed to the Khoros OIDC sign-in endpoint will be passed through to the Authorization URL upon sign-in. Parameters to be persisted can be added to the Registration page and Sign-in page URLs defined in general SSO settings for the community. Enable PKCE: Turn on this option to enable Proof Key Code Exchange for the authorization code flow. The OpenID Provider must also be configured to support this flow. Token URL: The token endpoint which will return the ID token. Client auth method: Authentication method to the token endpoint. Only two methods are supported, with the option to disable only if PKCE is being used. client_secret_base: Uses HTTP basic authentication. client_secret_post: Includes the client credentials in the request body. none: For security purposes, this should be chosen only if PKCE is used. Static Parameter (optional): Any static parameters that are used to request a token can be defined here. Header parameters (optional) Claim mapping (ssoid required): Any Claims returned from the token endpoint can be mapped here to an Aurora community profile attribute. JWT Options Note: The following options apply only to OIDC setups. Audience Override: (OIDC only) Audience is used in JWT validation. By default, JWT validation checks if the Audience (aud) claim in the JWT matches the client ID. If another aud claim is expected, enter it here. Issuer: (OIDC only) Should be set to the OpenID provider. Typically, it is the same as the Token endpoint. JWKS URI: (OIDC only) This URL contains the verification keys that are used in JWT validation. Disable JWT validation (for testing purposes only): (OIDC only) OpenID Connect flow must use JWT Validation according to spec. User Info (Optional) URL: URL of user info endpoint that is used to retrieve user information. The user info endpoint uses Bearer Authentication, if a URL is provided, then the token endpoint MUST return an Access Token. User attributes can also be obtained directly from the id_token where available. Use POST request: By default, the user info endpoint is called with a HTTP GET. Turn on this option if HTTP POST should be used instead. Static Parameters: Any static parameters that are used for the user info endpoint can be defined here. Header Parameters: Add any additional parameters that should be sent with the header during sign-in. Add Claim Mapping: Any claims returned from the user info endpoint can be mapped here to a Community profile attribute. These are used to specify key value pairs of claim values to be stored in the user's profile. The claims mapping is applied to the /token call response itself unless the id_token property is present, in which case the mapping is applied to that JSON body. Be aware of the following considerations when mapping user claims to community user attributes: ssoid: You must provide a mapping for this user attribute. The value of the user must be both unique and immutable. Additionally, the value is case sensitive. email: The value for the user must be unique. If you are unable to supply a user’s email address via the login flow, open a Support ticket to ask about having the user SSO registration page enabled to allow the user to be prompted to set their email address on first login. login: This must meet character requirements. roles.grant or roles.remove: If you supply mapping for these attributes, the value mapped must be a comma-separated list of role names, and those roles must already exist in the community. profile.url_icon: The user’s Community profile image can be set to a remotely hosted resource so long as it is accessible to the Community. Note: For other common profile fields, refer to User profile data in the Khoros Developer Docs. Logout (Optional) RP Initiated Read more information on OpenID Connect Relying Party (RP) logout. RP URL: The URL that is called when using Khoros /sso_logout_redirect endpoint. A back-channel request will be made to this logout URL passing the user’s access token. This URL is expected to sign out the user from the provider and functions as a single logout. Authorization method: Authorization method used when calling the logout endpoint. Basic uses the client ID and client secret in the Authorization Basic header. Bearer uses the user’s access token in the Authorization Bearer header. With None, no Authorization header is passed with the sign-out request. Token method: Optional field and not typically needed if the authorization method is set to Bearer. Selecting Form URL Encoded Body passes the user’s access token as application/x-www-form-urlencoded. JSON Body passes the user’s access token as application/json. RP param name: When the token method is set to Form URL Encoded Body or JSON Body, use this setting to specify the name of the parameter to pass. Defaults to token. RP Params passthrough: When enabled, any query-string parameters passed to the Khoros OIDC logout endpoint are passed through to the Logout URL during sign-out. Static Parameters: Additional parameters that should be passed to the Logout URL. OP Initiated OP enabled: When this setting is turned on, the logout endpoint can be used by the OpenID Provider (OP) initiated logout flows. OP allow iframe: When this setting is turned on, it allows the logout endpoint to be called via iframe and allows use with front-channel logout flows. OP URL: Users that browse to the logout endpoint are redirected to the specified post sign-out redirect URL after being signed out. By default, users are redirected to the community front page. Note: For private communities, this may result in immediately redirecting the user to sign in again. If you have a private community, you may want to specify an external URL (for example, on your .com). OP iframe redirect url: Use this to specify which URLs may place the logout endpoint in an iframe. In practice, this sets the Content Security Policy response header frame ancestor's value. Frontend Logout Frontend logout URL: If the frontend logout URL field is configured, the user will be sent to this location with their id_token_hint attached upon logout so that they may be cleanly logged out of the IDP. This also makes it possible to overwrite the post_logout_redirect_url if needed. Frontend logout params: Enter any additional parameters that should be sent with the frontend logout URL during sign-out. This can also be used for passing additional parameters. Alternate name for post_logout_redirect_uri: This value overrides the default post_logout_redirect_uri query parameter name. Advanced Redirect URI Override: This setting is primarily for testing purposes and typically not used in production environments. If a different redirect URI needs to be passed to the OP, it can be defined here. Note: The authorization code may be accepted only at the Community generated callback URL. Related topics: About Aurora OIDC/OAuth2.0 SSO166Views0likes0CommentsAurora: Configure SAML for the community
As an Aurora community admin, you can configure authentication for your community and integrate with your SAML IdP. To configure your SAML settings, go to Admin > Settings > System > Account. If SAML and its subsections are not displayed in the panel on the left,contact Khoros Support and request that the SAML feature be enabled. Learn more about Khoros SAML here. For more details regarding individual SAML settings, see About SAML settings. Set up basic SAML Configure your identity provider. Retrieve Community Service Provider Metadata XML: /t5/s/<communityID>/auth/saml/metadata Update the external Identity Provider configuration using values provided by Community SP metadata XML. Go toAdmin > Settings > System > Account. Scroll down to the SAML section, and below SAML Basics, ensure that Enable SSL Authentication is turned on if the SAML setup requires Secure-Sockets Layer (SSL) connection. In the IdP Metadata section, in the Metadata XML area, click Edit to paste your IdP metadata XML, provided by your IdP. In the Assertion to Profile Mapping section, enter the name of the attribute corresponding to the field you want to map from your SAML assertion (see Assertion to profile mapping in About SAML settings). A SAML assertion is the XML document that contains the user authorization details and is case sensitive. The identity provider sends this XML to the service provider. With the exception of the SSOID value, user settings can be gathered either directly from assertion attributes from your identity provider or else can be captured on the SSO User Registration form. Note: Adjustments to the SSO registration form currently require manual configuration by Khoros. When you have finished your SAML configuration and are ready to test, in the Single Sign On (SSO) section, turn on Use Khoros single sign-on (SSO). Set up SP-initiated SAML To set up SP-initiated SAML flow, you must also set up the basic SAML flow. Note: The Registration page, Sign-in page, and Sign-out page URLs (in the Single Sign On (SSO) section) must be preceded by your community ID. Contact Khoros Support and request the Community ID. Go to Admin > Settings > System > Account. In the Single Sign On (SSO) section, below SSO URLs, click Edit. In the Registration page field, enter the URL of the default page to which you want to redirect the users when they click the registration link to register to the community. If you use the (default) SAML POST binding for AuthN requests, then enter /t5/s/<communityID>/auth/saml/doauth/post If you use the SAML REDIRECT binding for AuthN requests, then enter /t5/s//<communityID>/auth/saml/doauth/redirect In the Sign-in page field, enter the URL of the default page to which you want to redirect members when they sign in to the community. If you use the (default) SAML POST binding for AuthN requests, enter /<communityID>/auth/saml/doauth/post If you use the SAML REDIRECT binding for AuthN requests, enter /<communityID>/auth/saml/doauth/redirect In the Sign-out page field, enter the URL of the default page to which you want to redirect members when they sign out of the community. Click Save. Turn on Use Khoros single sign-on (SSO). Set up IdP-initiated SAML To set up IdP-initiated SAML flow, you must also set up the basic SAML flow. If the SAML Request for community sign-in should originate from your Identity Provider rather than from the community itself, a slightly different configuration will be required. Go to Admin > Settings > System > Account. In the Single Sign On (SSO) section, below SSO URLs, click Edit. In the Registration page and Sign-in page fields, enter the URLs for your Identity Provider’s SAML sign-in/registration services. This is in contrast to SP-initiated configuration, which would specify community-specific SAML authentication services. In the Sign-out page field, enter the URL of the default page to which you want to redirect the members when they sign out of the community. Click Save. When you have finished your SAML configuration and are ready to test, in the Single Sign On (SSO) section, turn on Use Khoros single sign-on (SSO). Note: The query parameter that carries the community resource URL initially requested by the user when they sign in must be persisted with the SAML Response sent from your Identity Provider. This is to ensure the user lands on the community page where they signed in. This query parameter name is configurable using the Return Value Parameter Name setting. Ensure that the same parameter name used when the user is directed to your IdP is also sent with the SAML Response.223Views0likes0CommentsAurora Product Coaching Session: Spam Management Best Practise
Khoros Communities platform offers several settings and features that allow you to mitigate Spam in your community. Join ourSpam Management Best Practice coaching session to identify, filter and deal with spam effectively. Our coaching session will guide you through the practical tips and techniques to help combat spam and help maintain the hygiene of your community. Topics covered in the coaching session Overview of Aurora spam settings and functionality Manage Content dashboard related to spam management and its features Using roles and ranks to configure permissions to check spammers Content Filters Best practice tips Notes - Admin permissions are required to conduct the call. 👉Click here to Sign Up Related Resources Enable Spam Management Community Spam Management Review Posts Captured as Spam Khoros Academy: Communities Moderation Essentials Khoros Academy Instructor Led Training: Spam Management for Communities Aurora51Views0likes0CommentsAurora: Redirect user to related content
When you archive content, you can provide a permanent redirect link to related content within the community or an external page. Members who attempt to access archived content (via permalink) see a notification indicating that the content has been archived and redirected to relevant information. Though this is optional, it is best practice to provide a related link to relevant content while archiving. For instance, if a Google search result suggests a piece of content that was archived in your community and members select that link, they are automatically redirected to the related content in your community. As the redirection occurs for several members, the Google crawlers understand that the old link is replaced and boost up the new link's ranking instead of the old link. If you didn’t do this when you archived the article, you can opt to add it later from the Archives page. Add a URL to related content Sign in to the community Select Archives on the Manage Content dashboard. Select the Options (...) menu and select Add Link to Related Content. A window to enter the URL opens. Enter a link to the relevant content in your community. Select Add. The entered link is added. After an article is archived: Members who are not admins or moderators are redirected to the page that was added as related content. If no redirect URL is provided, they land on an empty page as shown below. Community admins and moderators land on the original page and see a notification that the page was archived. A link to the related article is provided. Furthermore, you can edit the added link from the archived page by opening the Settings menu and selecting Edit Link to Related Content. Add a URL to an external page You can also redirect members to external pages outside the community. To achieve this, toggle on External URLs under Settings > Features > Moderation > Content Archive.11Views0likes0CommentsAurora: Unarchive Content
When content is unarchived, it returns to its original location in the community before it was archived. The position of the original board list is also retained. The article's publish/last updated date is retained. Also, you cannot unarchive content whose board has been deleted. Assume that topic B was archived from the board list with topics A, B, C, D, and E. If topic B is later unarchived, it returns to its original position, and the board list again shows topics A, B, C, D, and E and not A, C, D, E, and B. To unarchive content: Go to the Manage Content page. Select Archives. Select the Options menu (...) in the row of the content you want to unarchive. Select Unarchive. The original location of the archived post is selected by default: You can also choose to unarchive the content to another location in the community. 5. Select Unarchive. You receive confirmation that the post is unarchived to the selected location. As shown below, you can also unarchive the content from the content page by opening the Settings menu and selecting Unarchive.Aurora: Delete Archived content
To delete content: Go to the Manage Content page. Select Archives. Open the Options menu in the row of the content you want to unarchive. Select Delete. A window to confirm the delete action opens. 5. Select Delete. The archived content is permanently deleted from the community and cannot be retrieved.Aurora: Archive Content
Note: If you archive content from a board and then delete the board, you cannot recover the archived content. No notifications are sent to the members who authored the article that their content has been archived. Moderators can send private messages to community members whose content has been archived. To archive a knowledge base article, blog post, discussion, event, or an idea: Sign in to the community with appropriate roles or permissions. Go to the content you want to archive. Open the Options menu and select Archive. A window to enter a link to redirect users to a page within the community or an external page opens. (Optional) Enter a valid link. Select Archive. You receive a confirmation that the content has been archived. You can view the archived content from theManage Content dashboard.15Views0likes0CommentsAurora: About Content Archive
Active communities, especially those of large enterprises, tend to have a lot of content. Over time, these communities can become cluttered with outdated, misleading, or obsolete content, making it more difficult for members to find the content they need. To keep content and conversations fresh and relevant, good content hygiene is important. Admins and moderators should regularly review site content and archive content that is no longer accurate, timely, or relevant. Aurora Communities include a Content Archive feature. When Content Archive is enabled, members with the appropriate permission can: Archive/unarchive knowledge base articles, blog posts, discussions, events, and ideas. Provide links to updated or related content in place of the archived content. Access all archived content from Manage Content dashboard . Note: You can archive only at the main thread. Individual replies or whole boards/categories cannot be archived. All user stats (likes, comments) achieved on archived content are retained. No notifications are sent to members when content is archived/unarchived. Admins and moderators can choose to send private messages to members as deemed necessary. Archival process Permissions Admins, moderators, or members with the Manage content archival permission can archive community content. Enable Content Archive feature Toenable content archiving in your community, toggle on the Content archive option under Settings > Features > Moderation > Content Archive. Note: This feature is only set at the community level. Archiving content After the above mentioned roles or permission is granted and the Content Archive feature is enabled, members can see the Archive option from the Options menu on the content page.Select Archive to begin archiving the content. Below is an example from a discussion page. View archived content Admins and moderators or members with appropriate permissionscan view all archived content from the Manage Content dashboard on the Archives tab. From here, they can unarchive, delete, or add a link to redirect users to related content.44Views0likes0CommentsAurora: Set up content filters
In addition to the default content filters provided in Aurora, you can create community-level content filters and configure them to perform the appropriate actions in the respective areas across the community. Also, you can add terms to the existing filters or edit filter information, as required. View content filters Admins and members with permission can access the Content Filters in the Moderation settings area (from the Settings > Features > Moderation). The Content Filters tab includes the default filters as shown below: The Content Filters tab lists: Filter Name: Name of the content filter. Action: The action the filter performs when the system finds it in the community. Actions can be Do not allow, Replace term, Check inline HTML and do not allow, and Take no action. Term Count: The number of terms defined for the filter. You can edit and add terms to the default filters or add a new filter. When the number of filters in the Content Filters tab exceeds 25, you can use the Filter by name field to quickly find the filter you want. Add filter To create a new content filter: Sign in to the community as an Admin. Open the Account menu and go to Settings > Features. Select Moderation. In the left column, selectContent Filters. Select Add Filter. Enter the Filter name. Select a Filter action: Do not allow Prevents members from posting content or replies, registering to the community, adding tags, updating profile information, and sending private messages till the filter term is removed. This more heavy-handed approach runs the risk of either challenging members to find a way to defeat it or alienating them. Replace term Replaces the offensive term with another term. This is the most common way of handling smut filter infractions. You can configure what term to replace words that match this filter in the Replacement term field. Check inline HTML and do not allow Prevents the members from posting anything that contains a filtered term after ignoring inline HTML. Take no action Does not take any action on filtered terms that appear across the community other than sending to the Manage Content > Abuse tab for moderator’s review If the Filter action is set as Replace term, in the Replace with field, specify the replacement term. The content filter replaces the filtered term with this replacement term. If you want to set term-level replacements, you can edit the terms after creating the filter. In Apply filter to field, select the areas where you want the filter to be applied. You can apply the filter to content, private messages and invitations, username, profile information, and tags. (Optional) If you want the filter to treat terms with diacritic marks the same as those without (for example, “chëēse” would be interpreted the same as “cheese”), turn on Ignore diacritics. In Terms to filter field, enter the terms you want to filter. Note that you can enter only one term per line. SelectAdd. The new filter is added to the list of content filters. You can edit the filter information and can add more terms to the filter. (Optional) For the Replace term filter action, if you want to add optional replacement terms for a certain term, open the Options menu for that term, select Edit, and enter an Optional replacement term. If you do not specify the Optional Replacement Term, the term is replaced with the default replacement term specified in the Replace with field.165Views0likes0Comments