Brandfolder SAML Information

Increasing security and ease of use for all users is always top priority at Brandfolder. With SAML (Security Assertion Markup Language) we are able to easily implement a seamless authentication process for all users.


We are able to connect with any SAML 2.0 authentication provider. Below are some of the providers we have specific integrations and connectors with:

  • Azure
  • Okta
  • OneLogin
  • IBM

Through the Okta platform we have specific information in regards to initial set up. Click here to see the documentation.

Options for User Access:

  1. General Access Setting - Admins at the Organization level can enable general access for all users. This is done through the UI by navigating to the Organization level > Settings > Manage Users.  mceclip0.png
    • Once in the Manage Users Modal, select the Organization, a specific Brandfolder, or Collection that you want users to access.
    • Once you have selected the desired resource, in the top right hand corner you will find a drop down for Default Permission Level. Here you can select None, Guest, or Collaborator.
    • When this setting is enabled, any user who logs in through SAML will automatically be given access to a specific Brandfolder and/or Collection at the specific permission level that you designated.
    • Be super careful when adding default permissions at the Organization and Brandfolder level.
  2. Team Access Settings - For this option Admins will work with the Brandfolder team to setup teams. Teams allow for a specific group of users that have been set up within the IdP to gain a specific level of access within Brandfolder. This allows for some or all users to be divided into specific teams (or departments) to allow for different privacy levels across different Brandfolders and/or Collections.
    • This can be accomplished by releasing a custom attribute in the SAML response named teams with the associated group value.
    • It can also be handled by releasing a specific claim if you are using ADFS as your IdP. T
    • Once configuration is complete on your end you will want to fill out the Team Configuration document attached at the end of this article and send it to Brandfolder support at or your designated Brandfolder contact. 
    •  This document must include:

      • Team Value (the group name)
      • The access level the team value should receive (Organization, Brandfolder, Collection)
      • The permission level the team should receive (Owner, Admin, Collaborator, Guest)
  3. Custom Access - If the two options above do not work for your use case then an administrator of the organization is able to add a user to a specific Brandfolder and/or Collection outside of the traditional team/general access granted. You can learn more in the User Management, Invitations, and Messaging Knowledge Base

Attributes for User Profiles 

  • We require the nameid for the user to be an email address.
  • We recommend passing the user’s first name: “givenname” and last name: “surname”.
  • You can also pass along the company, title, and department associated with a user. 

The options in the arrays below are potential values that Brandfolder looks to map off of. These options are beneficial when tracking analytics around your assets. 

 def self.userattr_samlattr_mapping
"first_name": ["first_name", "firstname", "givenname"],
"last_name": ["last_name", "lastname", "surname"],
"company": ["company", "company_name"],
"title": ["title"],
"department": ["department"]

Brandfolder SSO Information

SSO (Single Sign On) is another option for user authentication through Brandfolder. SSO gives clients the ability to integrate whichever user account system they have in place with Brandfolder, in order to reduce the amount of passwords and login screens users have to manage.


If you have any additional questions on SSO or SAML configurations please contact

Was this article helpful?
0 out of 0 found this helpful

Articles in this section