Enable single sign-on (SSO) for your users
Updated 1 month ago
Configure single sign-on (SSO) on your account to enable your users to login to PassFort using their credentials for their identity provider (like Azure Active Directory, Google SSO, and more).
Getting SSO for your PassFort account
SSO can be purchased as an optional feature. Contact your account manager to learn more - we'll be happy to help.
This will be the process:
- You'll need to create an app on your identity provider for a SAML 2.0 connection (contact your identity provider for more information about how to do this).
- If you would like to assign permissions to your users automatically based on their identity provider groups, create a single custom attribute for your users that contains the list of each user's group IDs. The IDs need to be sent in a way that we can map it to a comma separated list of strings.
- Please provide us with the accepted domain(s) from which your users will be signing in.
We'll also need the following information about the app you created in step 1:- Identity provider issuer URI
- Identity provider single sign-on URL
- Identity provider signature certificate (using SHA-256)
- Destination URL (optional)
- email address (e.g. subjectNameId)
- first name
- last name
- custom teams (optional)
- We'll complete the configuration on our side, and send you some metadata so you can complete the configuration on your side.
Adding a whitelist
When you enable whitelisting, only requests coming from an IP address that's on your authorised list will be able to log into your account's Portal and make calls to your API.
If you'd like to use whitelisting, you should enable it through PassFort's IP whitelisting area and avoid using Okta's whitelisting feature. Otherwise, both whitelists will apply for SSO logins and unexpected behaviour may occur.
Logging in with SSO
When you have SSO configured on your account, your users will be able to log in with your identity provider with the Use Single Sign On (SSO) option on the login screen.
Each time a user logs in, their name and teams are updated with the details from your identity provider.
If the user is logging in for the first time, their email address will be added to your PassFort account, making them a PassFort user that you can see and manage from the User Management tab.
If the user belongs to any groups on your identity provider and you've linked those groups to PassFort teams, the user will be added to the teams automatically. They'll be able to access the areas of your account based on the team roles.
Don't have SSO yet?
If you have not enabled SSO, you can create accounts for your users via PassFort's User Management tab, using exactly the same email addresses you plan to use for SSO. Remember to assign user roles or team roles so they have access to the appropriate areas of PassFort.
Users will be able to use the Email and Password fields on the login screen.
When you're ready to enable SSO, check the User Management tab to ensure:
- The email addresses here are exactly the same as the ones you're using for SSO. If they're not, update them now.
- All users have the correct permissions, including ensuring that your identity provider groups are linked to PassFort teams.
Once this is done and you have SSO enabled, ask your users to log in with the Use Single Sign on (SSO) option.
When a user logs in with SSO, their login credentials are converted to SSO. From this point forward, the user must always log into PassFort using their SSO details. If they try to log in with the Email and Password fields, they'll see a message that says Email address or password did not match. Try again, or contact us for help.
The user will be automatically added to any PassFort teams which are linked to identity provider groups enabled for their SSO account. They'll be able to access the areas of your account based on the team roles. Any pre-existing teams and roles are removed.
Managing users with SSO enabled
You can see all users in PassFort by going to User Management > Users.
The SSO users have SSO enabled displayed next to their name.
Manage roles for users with SSO
Roles determine what users can see and do in PassFort.
For example, you could have a Compliance officer role that provides users with the access to onboard and monitor all products or an Institution admin role that provides users with access to the Billing area.
Roles can be assigned on a team basis or a per-user basis.
By default, new SSO users on your account won't have any roles, which means they won't have access to any area of your account.
Assigning roles automatically
To assign roles to SSO users automatically, link the groups on your identity provider to teams in PassFort and add team roles.
When an SSO user creates an account, they'll be added to any teams linked to their identity provider groups and assigned the team roles accordingly.
Each time the user logs in after that, their teams will be updated to reflect any groups they've been added to or removed from on your identity provider.
To create a linked team, follow these steps to add a team and ensure you include these options:
- In the External team ID field, add your identity provider group's ID or name. Note that these are case-sensitive.
- In the Team roles field, add the roles you want to assign to users from the identity provider group.
Assigning roles manually
To manually assign roles to a user that are independent of a team:
- Go to User management > Users.
- Select the user.
- Add the roles to the User roles field.
Change an SSO user's password
Change a user's password via your identity provider.
Deactivate/reactivate an SSO user
You should deactivate and reactivate users via your identity provider and also via PassFort. Follow these steps to deactivate or reactivate a user via PassFort.
