Custom Domain
Custom domains allow you to personalize your Wallboard experience with your organization's branding while enabling secure Single Sign-On (SSO) integration. Instead of accessing Wallboard through a generic URL, your team can use a custom domain that reflects your company's identity.
When You Need a Custom Domain
Custom domains are required for organizations that want to:
- Enable SAML Single Sign-On: Integrate Wallboard with your company's existing authentication system (such as Azure Active Directory, Google Workspace, or other identity providers)
- Company Branding: Provide a branded login experience that matches your organization's domain
How to Get a Custom Domain
Custom domains are subdomains under Wallboard's own domains (e.g., yourcompany.wallboard.info or yourcompany.wallboard.us). Custom domains can only be created under *.wallboard.info or *.wallboard.us.
Setup requires server-side configuration that only the Wallboard team can perform.
To request a custom domain, contact [email protected].
Domain Settings
Once your custom domain has been set up, the Domain card displays your domain configuration.
| Setting | Description |
|---|---|
| Domain url | Your custom domain URL (e.g., yourcompany.wallboard.info). This is set by the Wallboard team and cannot be changed. |
| Domain default language | The default language for the login page and system messages on this domain. |
Setting Up SAML SSO
If your previous SSO configuration used a single comma-separated string for custom mappings (e.g., role-TECHNICIAN,team-abc123,ui-profile-432), this format is not currently supported by the new SAML settings. Before migrating, reconfigure your identity provider to send each value as a separate attribute value. Comma-separated value support will be added in an upcoming version. This does not affect new SAML SSO setups.
Once the Wallboard team has set up your custom domain, follow these steps to configure Single Sign-On.
Prerequisites
Before you begin, make sure you have:
- A custom domain set up by the Wallboard team
- Administrator access to your identity provider (Azure AD, Google Workspace, Okta, etc.)
- Administrator access to Wallboard
Step 1: Copy Wallboard's SP Details into Your Identity Provider
Navigate to Customer Settings > Custom Domain > SAML Settings. The SP Details section contains the values your identity provider needs.
| Field | What to Do |
|---|---|
| Audience URI (SP Entity ID) | Copy this and enter it as the "Entity ID" or "Audience URI" in your identity provider. |
| ACS URL (Assertion Consumer Service) | Copy this and enter it as the "Reply URL" or "ACS URL" in your identity provider. |
Click the export icon next to SP details to share your configuration quickly:
- Copy Metadata URL — a URL your identity provider can use to automatically import Wallboard's configuration
- Copy Metadata XML to clipboard — the full metadata as XML text
- Download Metadata XML file — save the metadata as a file
Many identity providers can import the Metadata URL directly, which saves you from copying individual fields.
Step 2: Configure Your Identity Provider
In your identity provider, set up a new SAML application for Wallboard using the SP details from Step 1. Configure your IdP to send the following attributes in the SAML assertion:
| Attribute | Required | Description |
|---|---|---|
| Yes | The user's unique identifier. Must be in email address format and unique across all users. | |
| Display name | No | The user's full name or display name. |
| Role | No | The user's Wallboard role (only needed if you plan to sync roles). |
The exact attribute names depend on your identity provider. See Attribute Names by Identity Provider below for the correct values.
Once configured, you will need the following from your identity provider for the next step:
- IdP Metadata URL (recommended) — or the individual values below:
- IdP Entity ID
- IdP SSO URL
- IdP Public Certificate
Step 3: Enter Your Identity Provider's Details in Wallboard
Back in Wallboard, click the gear icon (⚙) next to the IdP configuration heading to open the configuration dialog.
-
Select your IdP type from the dropdown:
- Microsoft (Azure AD / Entra ID) — automatically pre-fills the attribute names for Microsoft's claim format
- Custom (Generic SAML 2.0) — for all other providers (Google Workspace, Okta, Shibboleth, PingFederate, etc.)
-
Enter your identity provider's details — the easiest way is to paste the IdP Metadata URL. Wallboard will automatically fill in the Entity ID, SSO URL, and Public Certificate. If your provider does not offer a metadata URL, enter each field manually:
Field Description IdP Metadata URL Pastes and auto-fills the fields below. IdP Entity ID (required) The unique identifier of your identity provider. IdP SSO URL (required) The login URL where Wallboard redirects users for authentication. IdP Public Certificate (required) The certificate your identity provider uses to sign SAML responses. Wallboard uses this to verify that login responses are genuine. -
Set the attribute names to match what your identity provider sends (see Attribute Names by Identity Provider):
- Email attribute name — the SAML attribute containing the user's email
- Display name attribute — the SAML attribute containing the user's display name
- Role attribute — the SAML attribute containing the user's Wallboard role (only visible when "Sync User Roles from IdP" is enabled)
- Teams attribute — the SAML attribute containing Wallboard team IDs (only visible when "Sync Team Assignments from IdP" is enabled)
- UI profile attribute — the SAML attribute containing the Wallboard UI profile ID (only visible when "Sync UI Profiles from IdP" is enabled)
- Require encrypted assertions — when enabled, your identity provider must encrypt SAML assertions using Wallboard's SP Certificate (shown in SP Details). Leave disabled unless required.
- Allow SHA-1 signatures (legacy) — leave disabled unless your identity provider does not support SHA-256
-
Click Save.
Step 4: Enable SAML SSO
After saving the IdP configuration, toggle SAML SSO enabled at the top of the SAML Settings page to turn on Single Sign-On for your organization.
Step 5: Configure Custom Mapping (Optional)
The Mapping section lets you automatically sync user roles, team assignments, and UI profiles from your identity provider using custom SAML attributes.
| Toggle | What It Does |
|---|---|
| Sync User Roles from IdP | Assigns a Wallboard role based on a SAML attribute. Accepted values: VIEWER, EDITOR, APPROVER, TECHNICIAN, or OWNER (case-insensitive). |
| Sync Team Assignments from IdP | Assigns users to one or more Wallboard teams based on a SAML attribute containing team IDs. Supports multiple values. |
| Sync UI Profiles from IdP | Assigns a UI profile based on a SAML attribute containing the UI profile ID. |
Team IDs and UI profile IDs can be found in Wallboard under their respective settings pages.
When custom mapping is enabled, if your identity provider does not send the expected attribute for a user, their existing role, team assignments, or UI profile will be removed on next login.
Separate Attributes
Each mapper reads from its own dedicated SAML attribute. Use this when your identity provider supports sending multiple custom attributes. Prefixes are optional — the value can be sent with or without a prefix.
Wallboard configuration:
- Role attribute:
role - Teams attribute:
teams - UI profile attribute:
uiProfile
SAML assertion from your IdP:
<Attribute Name="role">
<AttributeValue>TECHNICIAN</AttributeValue>
</Attribute>
<Attribute Name="teams">
<AttributeValue>e7c5a8b5aa06482e8d7573c3b8b5f09b</AttributeValue>
<AttributeValue>3b94c4c671e34cbaa1198a4c16c8ae5c</AttributeValue>
</Attribute>
<Attribute Name="uiProfile">
<AttributeValue>432</AttributeValue>
</Attribute>
Unified Attribute (Single Claim)
Set all three attribute fields to the same claim name. This is the recommended approach for identity providers that use a single claim for custom values (e.g., Microsoft Entra ID App Roles). When Wallboard detects that multiple mappers share the same attribute, it automatically uses prefix-based filtering — each value must start with the correct prefix so Wallboard can route it to the right mapper.
Wallboard configuration (all three set to the same attribute):
- Role attribute:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role - Teams attribute:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role - UI profile attribute:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
SAML assertion from your IdP:
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<AttributeValue>role-TECHNICIAN</AttributeValue>
<AttributeValue>team-e7c5a8b5aa06482e8d7573c3b8b5f09b</AttributeValue>
<AttributeValue>team-3b94c4c671e34cbaa1198a4c16c8ae5c</AttributeValue>
<AttributeValue>ui-profile-432</AttributeValue>
</Attribute>
Required prefixes for unified attribute:
| Prefix | Maps to |
|---|---|
role- | User role (e.g., role-EDITOR) |
team- | Team assignment (e.g., team-abc123) |
ui-profile- | UI profile (e.g., ui-profile-456) |
Example: Setting Up Unified Attribute in Microsoft Entra ID
This is the recommended approach for Microsoft Entra ID (Azure AD).
1. Define App Roles in your app registration
Go to App Registration > App Roles and create a role for each value you want to assign. The Value field is what gets sent in the SAML assertion.
| Display Name | Value |
|---|---|
| Technician | role-TECHNICIAN |
| Editor | role-EDITOR |
| Team Alpha | team-e7c5a8b5aa06482e8d7573c3b8b5f09b |
| Team Beta | team-3b94c4c671e34cbaa1198a4c16c8ae5c |
| Default UI Profile | ui-profile-432 |
Set Allowed member types to "Users/Groups" for each role.
2. Assign users to App Roles
Go to Enterprise Application > Users and groups and assign each user to the appropriate App Roles. A user can be assigned to multiple App Roles — Entra ID sends all of them as separate values under the role claim.
3. Configure Wallboard
In the IdP configuration modal, select Microsoft (Azure AD / Entra ID) as the IdP type. All three attribute fields (role, teams, UI profile) will be pre-filled with http://schemas.microsoft.com/ws/2008/06/identity/claims/role. No additional claim configuration is needed in Entra ID — the role claim is sent by default for App Roles.
Single Sign-On Settings
The Single sign on settings card controls how Wallboard handles users who log in via SSO.
Default role, default teams, and default user interface profile are only used when automatic user creation is enabled and the identity provider does not send a value via custom mapping.
| Setting | Description |
|---|---|
| Hide username and password fields on login page | When enabled, the login page only shows the SSO login option. Users cannot log in with a username and password. |
| Enabled automatic user creation when role and customer information is given | When enabled, users who log in via SSO for the first time are automatically created in Wallboard. |
| Automatic user creation under network members | Legacy setting — do not enable. This was used with the previous SSO system and is not supported with SAML SSO. |
| Default role | The Wallboard role assigned to newly created SSO users when no role is provided by the identity provider. It is recommended to use the least privileged role (e.g., View only) and assign higher roles individually or via custom mapping. |
| Default teams | Teams that newly created SSO users are automatically assigned to. |
| Default user interface profile | The UI profile assigned to newly created SSO users when no profile is provided by the identity provider. |
Branding
Custom domains support branding customization for the login page and browser.
Login Page Background Settings
| Setting | Description |
|---|---|
| Login page background image file extension | The file format for the background image (JPG or PNG). |
| Login page background alignment | How the background image is positioned (Center, Left, Right, etc.). |
| Gradient filter enabled | When enabled, applies a gradient overlay on top of the background image. |
| Login page background image | Upload a background image for the login page. Recommended size: 1920x1080. |
Browser Favicon
Upload a custom favicon that appears in the browser tab. Required size: 16x16.
Branding Settings
Customize the brand logo displayed on the login page and in the application menu.
Only PNG files can be uploaded as branding logos.
| Setting | Description |
|---|---|
| Login page logo enabled | When enabled, the brand logo is displayed on the login page. |
| Brand logo | Upload your brand logo in three sizes for different display densities: 315x65 (1x), 630x130 (2x), and 945x195 (3x). |
| Closed menu brand logo | A smaller logo displayed when the side menu is collapsed. Required size: 76x50. |
Need Help?
Contact us at [email protected] or [email protected]