Advanced SSO setup guide

Felicia Qvarfordt

Modified on: Mon, 9 Sep, 2024 at 4:10 PM

This feature is only available for the price plan Enterprise.

Introduction

In this article can you will learn how to activate advanced Single sign-on settings and you will also get deeper insights into Single Sign-On configuration.

Before reading this article make sure you have activated Single Sign-on.

Activate advanced SSO settings

At the moment you are able to activate the following advanced settings yourselves:

Enforce SSO over password
Sync remote attributes from IDP

Sync remote groups from IDP
Force remote login every time

NOTE
If you want to configure Automatic user creation, you can do it by requesting it from your CSM (Customer Success Manager)

Key concepts

To understand the details of advanced SSO configuration, please read the key concepts below:

IDP (Identity Provider).
This is the organization that provides the Active Directory (AD) services (Azure, Gsuite (Google Workspace), ADFS, Duo, Forgerock, Onetouch, etc.).
IDP login.
The process of logging in to the Oneflow website https://login.oneflow.com/******** using the credentials provided by IDP (or other login methods by IDP).
Oneflow login.
The process of logging in to the Oneflow website (https://app.oneflow.com) using the credentials provided by Oneflow.
Oneflow login with redirection.
The process of logging in to the Oneflow website (https://app.oneflow.com) with a login email. Once the email is entered, the Password field disappears, and the Login button redirects the user to https://login.oneflow.com/********, allowing the IDP login.

Default settings and limitations

Once Single Sign-On has been enabled in Marketplace, specific configuration parameters will default.

Default settings

Enforce SSO: Disabled.
Users can log in using the Oneflow login and IDP login (but not the Oneflow login with redirection).
Force Authentication: Disabled.
Users are not forced to use their IDP credentials every time they want to log in to Oneflow, if there is an active session in IDP.
JIT user creation (Just-In-Time user creation):Disabled.
Only registered users in Oneflow can log in. An administrator has to invite new unregistered users through Oneflow (Admin> Users >Invite User).
Sync groups: None.
Groups in IDP are not synced with groups in Oneflow.
Domain: None.
There is no domain attached to your SSO configuration.
Sync attributes: None.
Attributes in IDP are not synced with attributes in Oneflow.

Actions and limitations

The SSO default settings allow the following actions and limitations in Oneflow:

Registered users can log in using an IDP login.
Registered users can log in using a Oneflow login.
Users are forced to use their IDP credentials every time they want to log in to Oneflow, even if there is an active session in IDP.
An administrator has to invite new unregistered users through Oneflow (Admin > Users > Invite User).
Groups and group members have to be customized in Oneflow by an administrator.
Attributes have to be customized in Oneflow by users.

SSO configuration

You can modify the following configuration based on your organization's needs:

Enforce SSO (Default: Disabled).
If enabled, all account users can only log in to Oneflow through an IDP login or a Oneflow login with redirection.
Enforce SSO Exclusion (Default: Empty; requirement: Enforce SSO enabled).
If Enforce SSO is enabled, but there are users (usually administrators and some exceptions) who still want the option of using Oneflow login, they can be listed here.
Users created through IDP (with JIT user creation) don’t have Oneflow credentials, so even if they are added to this list, they will not be able to log in to Oneflow.
Force Authentication (Default: Disabled).
If disabled, when users have an active session in IDP, they do not need to enter their IDP credentials every time they want to log in to Oneflow through an IDP login. It is recommended to keep it enabled unless the IDP uses multi-factor authentication for security purposes.
JIT user creation (Default: Disabled).
- IDP login: If enabled, unregistered users in Oneflow (but registered in IDP) can log in using an IDP login and have their Oneflow user created automatically during the login process.
- Oneflow login with redirection: To allow unregistered users in Oneflow (but registered in IDP) to login using Oneflow login with redirection, enforce SSO needs to be enabled. Also, JIT user creation needs to be enabled, and the SSO configuration must have a domain. The domain of the email entered in the Oneflow site (https://app.oneflow.com) during the login process has to match the domain introduced in the SSO configuration.
IDP login:Oneflow login with redirection:
To allow unregistered users in Oneflow (but registered in IDP) to login using Oneflow login with redirection, enforce SSO needs to be enabled. Also, JIT user creation needs to be enabled, and the SSO configuration must have a domain. The domain of the email entered in the Oneflow site (https://app.oneflow.com) during the login process has to match the domain introduced in the SSO configuration.
Group sync. (Default: Disabled; requirement: Enforce SSO enabled).
If enabled, you can sync groups in IDP with groups in Oneflow.
The purpose of group sync is to control the groups only in one place, in IDP. When users are added or removed from a group in IDP, it gets updated in the group in Oneflow when they log in to Oneflow.

NOTE
If group mapping is enabled, only the following users can log in to Oneflow:

Users that belong to synced groups.
Users listed in Enforce SSO Exclusion.

To enable the group sync, the groups have to be created both in IDP and Oneflow.

Having group sync between IDP and Oneflow has three main advantages:

Security, regarding ‘who has access to what’ within the organization, and having extra security regarding 3rd parties not being able to access the documents in Oneflow.
Having all users’ access centralized from IDP for other purposes other than Oneflow.
Group members can be modified in one place (IdP) and automatically synced in another (Oneflow).

Domain (Default: None; requirements: Enforce SSO enabled, JIT user creation enabled).
The domain of an email is what comes after '@'. Suppose a domain is set for the SSO configuration. In that case, every time an email with that domain is introduced in https://app.oneflow.com, the Password field will disappear, and the Login button will redirect the user to log in through an IDP login (Oneflow login with redirection).
Default user type (Default: User; requirement: JIT user creation).
There are three possible user types in Oneflow: Administrator, User, and Limited. By default, the Default user type for a user is User. This parameter can be modified so that when a user is created through SSO, the user can have a different user type.
Attribute sync (Default: None).
If enabled, you can sync attributes in IDP with attributes in Oneflow.

FAQ

I have an active session in IDP, but every time I try to log in to Oneflow, I have to provide my IDP credentials. Is it possible to log in once and keep being logged in?

Yes, ask you can disable Force Authentication in the SSO configuration on your account. Marketplace > Single Sign-On > Edit > Settings.

Our organization has enabled Enforce SSO, and it is the first time I am logging in. When I enter my email address at https://app.oneflow.com, I can’t log in because I do not have a Oneflow password.

If your organization does not have the JIT user creation enabled and has not set a domain that matches the domain of your email address, the only way you can log in to Oneflow is using an IDP login (check Key concepts). Once your user has been registered in Oneflow, you will be able to use https://app.oneflow.com.

Our organization has enabled Enforce SSO, but we have some users that would like to use their Oneflow credentials. Is that possible?

Yes, ask your CSM to add the users to the Enforce SSO Exclusion list. Keep in mind that only users that currently have Oneflow credentials can be listed here.

We have added a new user to AD in our organization, but they cannot log in, although it has worked previously with other users. Why can’t our new user log in?

There might be technical reasons behind it, but chances are that there are no available seats in the account. If there are no seats available, your organization can deactivate another user or buy more seats

We have many users in our AD. Do we have to invite every user using the Invite user function in Oneflow? Is there any other way that they can log in to Oneflow directly?

They can log in directly to Oneflow. Ask your CSM to enable JIT user creation for the account. Once enabled, users that are not registered in Oneflow (but registered in AD) can log in to Oneflow and have their Oneflow user created on their first login. Remember that the account has to have available seats for the user to be successfully created.

We created a user through SSO, so they do not have Oneflow credentials. How can they obtain Oneflow credentials?

The user has to go to https://app.oneflow.com, enter their email, and click Forgot your password? The user will get an email allowing them to create a Oneflow password.

We recently enabled group sync, and now some users cannot log in to Oneflow.

Once group sync is enabled, only users belonging to a synced group can log in to Oneflow (your AD might have groups not synced with a Oneflow group). If there are users not belonging to synced groups that need to have access to Oneflow, there are four options:

Add the users to Enforce SSO Exclusion (only if they already have Oneflow credentials).
Add the users to one of the synced groups.
Create a new group in AD, add the users, and sync it with a Oneflow group.
Disable group sync from the account’s SSO configuration.

There is a synced group with many members, and we want to provide access to some members but not to others. How can we do it?

Users can have a role both individually and within a group. In addition, users can belong to different groups and have different roles in those groups. If the number of group members requiring access is small, you can provide them with access individually. However, if the number of group members requiring access is large, it is better to create another group (both in AD and in Oneflow), sync them, and manage the access through the group.

We have JIT user creation and group sync enabled, and one of our users (that did not belong to the synced group on the IDP’s side) tried to log in. They got the error message 'Login disabled'. After adding the user to the synced group on IDP’s side, it is still not working. What can we do?

If a user not belonging to a synced group tries to log in via SSO, the system will create the user in Oneflow’s database, but the system will deactivate them because they do not belong to a synced group. If this happens, it does not help to add the user to the synced group on the IDP's side because the user is deactivated. Contact your CSM and ask the user to be activated.

We have group sync enabled. When we add/remove users from the groups in IDP, we do not see the changes in Oneflow. Why?

Group synchronization related to SSO occurs during login. If a user is added/removed from a group on the IDP’s side, the changes will be applied when the user logs in to Oneflow.

We recently added a new user to a group in AD synced to a group in Oneflow. However, the user has not been added to the group in Oneflow. Why?

The user needs to log in to Oneflow successfully, and then they will be added to the group automatically.

We recently removed a user from AD, but the user is still in a synced group in Oneflow. Why?

SSO group sync occurs in Oneflow every time a user logs in. If the user has been removed from a group, they have to log in so the sync can take place. If the user has been removed from AD altogether, an administrator has to log in to Oneflow and deactivate the user. Once the user has been deactivated, the system will remove them from the groups.