Submit a ticket
Welcome
Login

Advanced SSO setup guide

Advanced SSO setup guide


  1. Introduction
  2. Key concepts
  3. Default settings
  4. SSO configuration
  5. FAQ (Frequently Asked Questions)



1. Introduction

The following guide contains information on how to configure advanced settings for SSO (Single Sign-On) in Oneflow. 


SSO can be enabled through an extension named Single-Sign-On in Oneflow (Admin / Account / Extensions / Single-Sign-On). By enabling SSO through the extension, SSO will be enabled with default settings. 


If you want to configure advanced SSO parameters, you can do it by requesting it from your CSM (Customer Success Manager).


2. Key concepts

In order to understand better the details about advanced SSO configuration, there are several key concepts that are introduced below:


  • IdP: Identity provider. This is the organization that provides the Active Directory (AD) services (Azure, Gsuite (Google Workspace), ADFS, Duo, Forgerock, Onetouch, ...)
  • IdP login. Process of login on the website https://login.oneflow.com/******** using the credentials provided by IdP (or other login methods by IdP).
  • Oneflow login. Process of login using credentials (username + password) provided by Oneflow, on the website https://app.oneflow.com.
  • Oneflow login with redirection. Process of login on the website https://app.oneflow.com, and once the email is entered, the password field disappears and the Login button redirects the user to https://login.oneflow.com/********, allowing IdP login.


3. Default settings

Once SSO has been enabled through the extension named Single Sign-On, there are certain configuration parameters that are set by default. 


Default settings.

  • Enforce SSO: disabled. Users can login both through Oneflow login and IdP login (but not Oneflow login with redirection).
  • Force Authentication: enabled. Users are forced to use their IdP credentials every time they want to login Oneflow, even if there is an active session in IdP.
  • JIT user creation (Just-In-Time user creation): disabled. Only registered users in Oneflow can login. New unregistered users have to be invited through Oneflow (Admin / Invite User), by an administrator.
  • Sync groups: None. Groups in IdP are not synced with groups in Oneflow.
  • Domain: None. There is no domain attached to your SSO configuration.
  • Sync attributes: None. Attributes in IdP are not synced with attributes in Oneflow.


The SSO default settings allow the following actions and limitations in Oneflow.

  • Registered users can login through IdP login.
  • Registered users can login through Oneflow login.
  • Users are forced to use their IdP credentials every time they want to login Oneflow, even if there is an active session in IdP.
  • New users have to be invited through Oneflow (Admin / Invite User), by an administrator.
  • Groups and group members have to be customized in Oneflow by an administrator.
  • Attributes have to be customized in Oneflow by users.




4. SSO configuration

The following configuration can be modified, based on the needs of your organization.


Enforce SSO (disabled by default) 

If enabled, all users of the account can only login Oneflow through IdP login, or Oneflow login with redirection.


Enforce SSO Exclusion (empty by default, requirement: enforce SSO enabled). 

If Enforce SSO is enabled, but there are users (usually administrators, and some exceptions) who still want the option of using Oneflow login, they can be listed here.


Users that have been created through IdP (with JIT user creation) don’t have Oneflow credentials, so even if they are added in this list, they will not be able to login Oneflow. 


Force Authentication (enabled by default). 

If disabled, when users have an active session in IdP, they do not need to enter their IdP credentials every time they want to login Oneflow through IdP login. It is recommended to keep it enabled unless the IdP is using Multi-factor authentication, for security purposes.


JIT user creation (disabled by default).

  • IdP login: If enabled, unregistered users in Oneflow (but registered in IdP) can login using IdP login, and have their Oneflow user created automatically during the login process.


  • Oneflow login with redirection: For it to be possible for unregistered users in Oneflow (but registered in IdP) to login using Oneflow login with redirection, enforce SSO needs to be enabled, JIT user creation needs to be enabled, and the SSO configuration must have a domain, and the domain of the email entered in the Oneflow site (https://app.oneflow.com) during the login process has to match the domain introduced in the SSO configuration.


Group sync. (disabled by default, requirement: enforce SSO enabled).

If enabled, groups in IdP can be synced with groups in Oneflow. 

The purpose of group sync is to control the groups only in one place, in IdP. When users are added or removed from a group in IdP, it gets updated in the group in Oneflow when the user logs in Oneflow.


If group mapping is enabled, only the following users can login Oneflow:

  • Users belonging to synced groups.
  • Users listed in Enforce SSO Exclusion.


For enabling group sync, the groups have to be created both in IdP and Oneflow.


Having group sync between IdP and Oneflow has three main advantages:

  • Security, both regarding ‘who has access to what’ within the organization, and having extra security regarding 3rd parties not being able to access the contracts in Oneflow.
  • Having all users’ access centralized from IdP, for other purposes other than Oneflow.
  • Group members can be modified in one place (IdP) and automatically synced in another (Oneflow).


Domain (None by default, requirements: Enforce SSO enabled, JIT user creation enabled). 

The domain of an email is what comes after @. If a domain is set for the SSO configuration, every time that an email with that domain is introduced in https://app.oneflow.com, the password field will disappear, and the login button will redirect the user to login through IdP login (Oneflow login with redirection).


Default User Role (User by default, requirement: JIT user creation).

There are three possible user roles in Oneflow: Administrator, User and Limited. By default, the Default User Role a user has is User. This parameter can be modified so when a user is created through SSO, the user can have a different user role.


Attribute sync (None by default)

If enabled, attributes in IdP can be synced with attributes in Oneflow.


5. FAQ (Frequently Asked Questions)


  1. I have an active session in IdP, but every time I try to login Oneflow I have to introduce my IdP credentials. Is it possible to login once and keep being logged in?
    • Yes, ask your CSM to disable Force Authentication from the SSO configuration of your account.
  2. Our organization has ‘enforce SSO’ enabled, it is the first time I am logging in, and when I enter my email address in https://app.oneflow.comI can’t login, because I do not have a Oneflow password.
    • If your organization does not have JIT user creation enabled, and has not set a domain that matches the domain of your email address, the only way you can login Oneflow is through IdP login (check 2. Key concepts). Once your user has been registered in Oneflow you will be able to use https://app.oneflow.com as well.
  3. Our organization has enabled ‘enforce SSO’, but we have some users that would like to use their Oneflow credentials. Is that possible?
    • Yes, ask your CSM to add the users to ‘Enforce SSO Exclusion’ list. Keep in mind that only users that currently have Oneflow credentials can be listed here.
  4. We have added a new user to AD in our organization, but they can not login, but it has worked previously with other users. Why can’t our new user login?
    • There might be technical reasons behind it, but chances are that there are not available seats in the account. If there are no seats available, your organization can deactivate another user, or buy more seats.
  5. We have a large number of users in our AD, do we have to invite every single user using the ‘Invite user’ function within Oneflow? Is there a way that they can login Oneflow directly?
    • It is possible for them to login directly. Ask your CSM to enable ‘JIT user creation’ for the account. Once enabled, users that are not registered in Oneflow (but registered in AD) can login Oneflow, and have their Oneflow user created on their first login. Keep in mind that the account has to have available seats for the user to be successfully created.
  6. There is a user that was created through SSO, so he/she does not have Oneflow credentials. How can he/she obtain Oneflow credentials?
    • The user has to go to https://app.oneflow.com, enter his/her email, and click on “Forgot your password?”. The user will get an email allowing him/her to create a Oneflow password.
  7. We recently enabled group sync, and now some users can not login Oneflow. Please help.
    • Once group sync is enabled, only users belonging to a synced group can login Oneflow (your AD might have groups that are not synced with a Oneflow group). If there are users not belonging to synced groups that need to have access to Oneflow, there are four options:
      • Add the users to Enforce SSO Exclusion (only if they have Oneflow credentials already).
      • Add the users to one of the synced groups.
      • Create a new group in AD, add the users, and sync it with a Oneflow group. 
      • Disable group sync from the account’s SSO configuration.
  8. There is a synced group with a large number of members, and we want to provide access to some members but not to others. How can we do it?
    • Users can have a role both individually and through a group. In addition, users can belong to different groups, and have different roles through those groups. If the amount of group members that require access is small, it can be provided individually to them. However, if the amount of group members that require access is large, it is better to create another group (both in AD and in Oneflow), sync them and manage the access through the group.
  9. We have JIT user creation and group sync enabled, and one of our users (that did not belong to the synced group on IdP’s side) tried to login. He/She got the error message “Login disabled”. After adding the user to the synced group on IdP’s side, it is still not working. What can we do?
    • If a user not belonging to a synced group tries to login via SSO, the user will be created in Oneflow’s database, but he/she will be deactivated, because he/she does not belong to a synced group. If this happens, it does not help to add the user to the synced group on IdP's side, because the user is deactivated. Contact your CSM and ask the user to be activated.
  10. We have group sync enabled. When we add/remove users from the groups in IdP, we do not see the changes take place in Oneflow. Why?
    • Group synchronization related to SSO takes place during login, so if a user is added/removed from a group in IdP’s side, the changes will be applied when the user logs in Oneflow.
  11. We recently added a new user to a group in AD, which is synced to a group in Oneflow. However, the user has not been added to the group in Oneflow. Why?
    • The user needs to login Oneflow successfully, and then he/she will be added to the group automatically.
  12. We recently removed a user from AD, but the user is still in a synced group in Oneflow. Why?
    • SSO group sync happens in Oneflow every time a user logs in. If the user has been removed from a group, he/she has to login so the sync can take place. If the user has been removed from AD altogether, then an administrator has to login Oneflow and deactivate the user. Once the user has been deactivated, he/she will be removed from the group/s as well.


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.