Advanced SSO setup guide

Felicia Qvarfordt
Felicia Qvarfordt
  • Updated
INCLUDED IN
This feature is only available for the price plan Enterprise.

Introduction 

In this article can you will learn how to activate advanced Single sign-on settings and you will also get deeper insights into Single Sign-On configuration.

Before reading this article make sure you have activated Single Sign-on. 

🔗 Click here to read the article: Activate single sign-on (SSO).
 

Activate advanced SSO settings

At the moment you are able to activate the following advanced settings yourselves:

  • Enforce SSO over password
  • Sync remote attributes from IDP
  • Sync remote groups from IDP
  • Force remote login every time
NOTE
If you want to configure Automatic user creation, you can do it by requesting it from your CSM (Customer Success Manager)
ASSO2.gif

Key concepts 

To understand the details of advanced SSO configuration, please read the key concepts below:

  • IDP (Identity Provider).
    This is the organization that provides the Active Directory (AD) services (Azure, Gsuite (Google Workspace), ADFS, Duo, Forgerock, Onetouch, etc.).
  • IDP login.
    The process of logging in to the Oneflow website https://login.oneflow.com/******** using the credentials provided by IDP (or other login methods by IDP).
  • Oneflow login.
    The process of logging in to the Oneflow website (https://app.oneflow.com) using the credentials provided by Oneflow.
  • Oneflow login with redirection.
    The process of logging in to the Oneflow website (https://app.oneflow.com) with a login email. Once the email is entered, the Password field disappears, and the Login button redirects the user to https://login.oneflow.com/********, allowing the IDP login.

Default settings and limitations

Once Single Sign-On has been enabled in Marketplace, specific configuration parameters will default.

Default settings

  • Enforce SSO: Disabled.
    Users can log in using the Oneflow login and IDP login (but not the Oneflow login with redirection).
  • Force Authentication: Disabled.
    Users are not forced to use their IDP credentials every time they want to log in to Oneflow, if there is an active session in IDP.
  • JIT user creation (Just-In-Time user creation):Disabled.
    Only registered users in Oneflow can log in. An administrator has to invite new unregistered users through Oneflow (Admin> Users >Invite User).
  • Sync groups: None.
    Groups in IDP are not synced with groups in Oneflow.
  • Domain: None.
    There is no domain attached to your SSO configuration.
  • Sync attributes: None.
    Attributes in IDP are not synced with attributes in Oneflow.

Actions and limitations

The SSO default settings allow the following actions and limitations in Oneflow:

  • Registered users can log in using an IDP login.
  • Registered users can log in using a Oneflow login.
  • Users are forced to use their IDP credentials every time they want to log in to Oneflow, even if there is an active session in IDP.
  • An administrator has to invite new unregistered users through Oneflow (Admin > Users > Invite User).
  • Groups and group members have to be customized in Oneflow by an administrator.
  • Attributes have to be customized in Oneflow by users.

SSO configuration

You can modify the following configuration based on your organization's needs:

  • Enforce SSO (Default: Disabled). 
    If enabled, all account users can only log in to Oneflow through an IDP login or a Oneflow login with redirection.
  • Enforce SSO Exclusion (Default: Empty; requirement: Enforce SSO enabled). 
    If Enforce SSO is enabled, but there are users (usually administrators and some exceptions) who still want the option of using Oneflow login, they can be listed here.
    Users created through IDP (with JIT user creation) don’t have Oneflow credentials, so even if they are added to this list, they will not be able to log in to Oneflow.
  • Force Authentication (Default: Disabled). 
    If disabled, when users have an active session in IDP, they do not need to enter their IDP credentials every time they want to log in to Oneflow through an IDP login. It is recommended to keep it enabled unless the IDP uses multi-factor authentication for security purposes.
  • JIT user creation (Default: Disabled).
    • IDP login: If enabled, unregistered users in Oneflow (but registered in IDP) can log in using an IDP login and have their Oneflow user created automatically during the login process.
    • Oneflow login with redirection: To allow unregistered users in Oneflow (but registered in IDP) to login using Oneflow login with redirection, enforce SSO needs to be enabled. Also, JIT user creation needs to be enabled, and the SSO configuration must have a domain. The domain of the email entered in the Oneflow site (https://app.oneflow.com) during the login process has to match the domain introduced in the SSO configuration.
  • IDP login:Oneflow login with redirection
    To allow unregistered users in Oneflow (but registered in IDP) to login using Oneflow login with redirection, enforce SSO needs to be enabled. Also, JIT user creation needs to be enabled, and the SSO configuration must have a domain. The domain of the email entered in the Oneflow site (https://app.oneflow.com) during the login process has to match the domain introduced in the SSO configuration.
  • Group sync. (Default: Disabled; requirement: Enforce SSO enabled). 
    If enabled, you can sync groups in IDP with groups in Oneflow.
    The purpose of group sync is to control the groups only in one place, in IDP. When users are added or removed from a group in IDP, it gets updated in the group in Oneflow when they log in to Oneflow.

NOTE
If group mapping is enabled, only the following users can log in to Oneflow:

  • Users that belong to synced groups.
  • Users listed in Enforce SSO Exclusion.

To enable the group sync, the groups have to be created both in IDP and Oneflow.

Having group sync between IDP and Oneflow has three main advantages:

  • Security, regarding ‘who has access to what’ within the organization, and having extra security regarding 3rd parties not being able to access the documents in Oneflow.
  • Having all users’ access centralized from IDP for other purposes other than Oneflow.
  • Group members can be modified in one place (IdP) and automatically synced in another (Oneflow).
  • Domain (Default: None; requirements: Enforce SSO enabled, JIT user creation enabled). 
    The domain of an email is what comes after '@'. Suppose a domain is set for the SSO configuration. In that case, every time an email with that domain is introduced in https://app.oneflow.com, the Password field will disappear, and the Login button will redirect the user to log in through an IDP login (Oneflow login with redirection).
  • Default user type (Default: User; requirement: JIT user creation).
    There are three possible user types in Oneflow: Administrator, User, and Limited. By default, the Default user type for a user is User. This parameter can be modified so that when a user is created through SSO, the user can have a different user type.
  • Attribute sync (Default: None). 
    If enabled, you can sync attributes in IDP with attributes in Oneflow.

FAQ

I have an active session in IDP, but every time I try to log in to Oneflow, I have to provide my IDP credentials. Is it possible to log in once and keep being logged in?

Yes, you can disable Force Authentication in the SSO configuration on your account: Marketplace > Single Sign-On > Edit > Settings.

Our organization has enabled Enforce SSO, and it is the first time I am logging in. When I enter my email address at https://app.oneflow.com, I can’t log in because I do not have a Oneflow password.

If your organization does not have JIT user creation enabled and has not set a domain that matches the domain of your email address, the only way you can log in to Oneflow is using an IDP login (see Key concepts). Once your user has been registered in Oneflow, you will be able to use https://app.oneflow.com.

Our organization has enabled Enforce SSO, but we have some users that would like to use their Oneflow credentials. Is that possible?

Yes, ask your CSM to add the users to the Enforce SSO Exclusion list. Only users that currently have Oneflow credentials can be listed here.

We have added a new user to Entra ID in our organization, but they cannot log in, although it has worked previously with other users. Why?

This can happen if there are no available seats in the account. If there are no seats available, your organization can deactivate another user or purchase more seats.

We have many users in our Entra ID. Do we have to invite every user using the Invite user function in Oneflow?

No, they can log in directly. Ask your CSM to enable JIT user creation. Once enabled, users registered in Entra ID (but not in Oneflow) can log in and have their account created automatically at first login. The account must have available seats for this to work.

We created a user through SSO, so they do not have Oneflow credentials. How can they obtain them?

The user should go to https://app.oneflow.com, enter their email, and click Forgot your password?. They will then receive an email to set a Oneflow password.

We recently enabled group sync, and now some users cannot log in to Oneflow.

Once group sync is enabled, only users belonging to a synced group can log in. If users outside synced groups need access, you can:

  • Add them to Enforce SSO Exclusion (only if they already have Oneflow credentials).
  • Add them to a synced group.
  • Create a new group in Entra ID, add the users, and sync it with a Oneflow group.
  • Disable group sync from the account’s SSO configuration.
There is a synced group with many members, and we want to provide access to some members but not to others. How can we do it?

Users can have roles individually and within groups. If only a few group members need access, assign roles individually. If many members need access, create a new group in Entra ID and Oneflow, sync them, and manage access through the group.

We have JIT user creation and group sync enabled, and a user got “Login disabled”. After adding them to the synced group, it still doesn’t work. Why?

If a user outside a synced group tries to log in, Oneflow creates but deactivates them. Adding them to the group afterwards won’t help. Contact your CSM to reactivate the user.

We have group sync enabled. When we add/remove users from the groups in Entra ID, we do not see the changes in Oneflow. Why?

Group synchronization occurs during login. Changes in Entra ID will apply the next time the user logs in to Oneflow.

We recently added a new user to a group in Entra ID synced to a group in Oneflow. However, the user has not been added in Oneflow. Why?

The user needs to log in to Oneflow for the first time before being added to the group automatically.

We recently removed a user from Entra ID, but the user is still in a synced group in Oneflow. Why?

SSO group sync happens when a user logs in. If the user is removed from Entra ID, an administrator must log in and deactivate the user in Oneflow. Once deactivated, the system removes them from the groups.

Related to

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request