Single sign-on

Shutterstock's federated identity offering allows our customers' employees to log in to Shutterstock's applications via their company's single sign-on (SSO) system. The customer configures their identity provider (IdP), such as Auth0, Ping Identity, or Okta to integrate with Shutterstock by exchanging Security Assertion Markup Language (SAML) and System for Cross-domain Identity Management (SCIM) data. Then, the customer's employees authenticate with the IdP and are redirected to Shutterstock, where they can use Shutterstock applications without needing a separate Shutterstock account or password.

Supported identity providers

Currently, Shutterstock maintains integrations with these IdPs. Contact us to see if we can add support for the tools that you use for identity management.

For information about setting up an integration with each of these IdPs, see Identity provider setup.

Features

Shutterstock's federated identity offering is SAML 2.0 compliant and provides the following features:

  • On-demand account provisioning

    Shutterstock creates accounts automatically when users log in through SAML, so your employees do not need a pre-existing Shutterstock account.

  • Provisioning for pre-existing users

    If an employee already has a Shutterstock account, our identity management system links that account to their account on your identity provider.

  • Automatic de-provisioning

    You can remove employee access to company resources directly from your identity provider via SCIM.

  • Roles and permissions

    Each employee account has a role that controls what that account can do. You can set individual accounts to be allowed only to browse and search and set other accounts to be able to license and download media.

    See Assigning permissions.

  • Provisioning for organizations

    Shutterstock enterprise customer accounts are associated with organizations (also referred to as "teams"). Customers can set a default organization for new accounts or pass information about customer organizations along with SAML credential requests.

    See Assigning organizations.

Definitions

  • Federated identity (FI): Federated identity is functionality that allows a user's identity information to be accessed across systems. Federated identity allows one system to authenticate a user and another system to trust that authentication and receive the user's information.

  • Single sign on (SSO): SSO allows a user to sign in to one system and gain access to other systems.

  • Security Assertion Markup Language (SAML) and System for Cross-domain Identity Management (SCIM): SAML and SCIM are standard languages for communicating user information, such as information for federated identity management.

  • Service provider (SP): In the context of federated identity management, a service provider is a business or application that delegates authorization for its services to a third-party identity provider. For example, Shutterstock can act as a service provider by accepting identity information from third-party systems.

  • Third-party identity provider (3P IdP): An IdP is software that provides identity management services, such as Okta, Ping Identity, and OneLogin.

User provisioning

If a user logs in to Shutterstock through your identity provider and there is no Shutterstock account associated with that user's email address, Shutterstock creates an account for that user automatically. New users should log in to Shutterstock through the identity provider in this way, instead of creating accounts manually on shutterstock.com. If a user creates an account directly on shutterstock.com, that account is not automatically tied to your enterprise account and is not managed through your identity provider.

If there is an existing account tied to that email address, Shutterstock logs the user into that account. The user has the same roles that the existing account has unless you pass other roles with the SAML assertion as described in Assigning permissions.

Individual email addresses can be connected to multiple Shutterstock accounts. If a user logs in through federated identity and their email address is connected to multiple accounts, by default Shutterstock logs them into the first account that was created with that email address. Your account representative can provide a list of email addresses and user accounts in your account so you can tell the users which account they sign in to. To change which account users sign in to, contact us.

User deprovisioning

Shutterstock supports account deprovisioning through SCIM. To use SCIM deprovisioning, you configure your identity provider to send a SCIM request to Shutterstock when you remove a user from the application in the identity provider. Shutterstock receives the SCIM request and removes the user from the relevant organizations.

Login flows

Enterprise customer employees can access Shutterstock via federated identity management in two main ways: they can start by accessing the Shutterstock web application, or they can start by authenticating to the company's IdP.

Shutterstock-initiated login flow

  1. The customer employee accesses a Shutterstock web application directly and enters their user name.
  2. Shutterstock identity management detects that the user name is in a federated identity integration and forwards the employee to the identity provider.
  3. The customer employee logs in to the identity provider.
  4. The identity provider redirects the employee to the Shutterstock web application via a SAML assertion that confirms their identity.

This diagram shows an overview of the Shutterstock-initiated login flow:

Identity provider-initiated login flow

  1. The customer employee logs in to the identity provider.
  2. The identity provider redirects the employee to the Shutterstock web application via a SAML assertion that confirms their identity.

This diagram shows an overview of the Identity provider-initiated login flow: