All categories ​ > ​ ​User management ​ > ​     Enable single sign-on (SSO) for your users

Enable single sign-on (SSO) for your users

Updated 3 weeks ago by Ainsley

Configure single sign-on (SSO) on your account to enable your users to login to PassFort using their credentials for their identity provider (like Azure Active Directory, Google SSO, and more).

Getting SSO for your PassFort account

SSO can be purchased as an optional feature. Contact your account manager to learn more - we'll be happy to help.

This will be the process:

  1. You'll need to create an app on your identity provider for a SAML 2.0 connection (contact your identity provider for more information about how to do this).
  2. If you would like to assign permissions to your users automatically based on their identity provider groups, create a single custom attribute for your users that contains the list of each user's group IDs. The IDs need to be sent in a way that we can map it to a comma separated list of strings.
  3. Please provide us with the accepted domain(s) from which your users will be signing in.

    We'll also need the following information about the app you created in step 1:
    1. Identity provider issuer URI
    2. Identity provider single sign-on URL
    3. Identity provider signature certificate (using SHA-256)
    4. Destination URL (optional)
    Please also provide the names of the user attributes you're using on your identity provider so we can map them:
    1. email address (e.g. subjectNameId)
    2. first name
    3. last name
    4. custom teams (optional)
  4. We'll complete the configuration on our side, and send you some metadata so you can complete the configuration on your side.
By default, all your users will login using SSO. If you'd like a user to have a regular login experience without SSO, add them by following the standard steps to add a user.

Logging in with SSO

When you have SSO configured on your account, your users will be logged into PassFort automatically if they're already logged in with your identity provider.

If a user is not logged in with your identity provider, they can click the Use Single Sign On (SSO) option on the PassFort login screen. They'll be redirected to log in with your identity provider.

Each time a user logs in, their name and teams are updated with the details from your identity provider.

Users are signed out of PassFort automatically after 30 minutes of inactivity.

Logging in for the first time

If this is the user's first time logging in to PassFort, when they enter their email address and password their user details will be added to your PassFort account automatically.

If the user belongs to any groups on your identity provider and you've linked those groups to PassFort teams, the user will be added to the teams automatically. They'll be able to access the areas of your account based on the team roles.

If the user does not belong to any groups or if you haven't linked the groups to PassFort teams, the user won't have any user roles or team roles when their account is created. This means they won't be able to access any area of your PassFort account until you manually assign roles.

Managing users with SSO enabled

You can see all users in PassFort by going to User Management > Users.

The SSO users have SSO enabled displayed next to their name.

Manage roles for users with SSO

Roles determine what users can see and do in PassFort.

For example, you could have a Compliance officer role that provides users with the access to onboard and monitor all products or an Institution admin role that provides users with access to the Billing area.

Roles can be assigned on a team basis or a per-user basis.

By default, new SSO users on your account won't have any roles, which means they won't have access to any area of your account.

Assigning roles automatically

To assign roles to SSO users automatically, link the groups on your identity provider to teams in PassFort and add team roles.

When an SSO user creates an account, they'll be added to any teams linked to their identity provider groups and assigned the team roles accordingly.

Each time the user logs in after that, their teams will be updated to reflect any groups they've been added to or removed from on your identity provider.

To create a linked team, follow these steps to add a team and ensure you include these options:

  • In the External team ID field, add your identity provider group's ID or name. Note that these are case-sensitive.
  • In the Team roles field, add the roles you want to assign to users from the identity provider group.
Assigning roles manually

To manually assign roles to a user that are independent of a team:

  1. Go to User management > Users.
  2. Select the user.
  3. Add the roles to the User roles field.
It is not possible to assign teams via the Team roles field from here. To manage teams, see the steps above for Assigning roles automatically.

Change an SSO user's password

Change a user's password via your identity provider.

Deactivate/reactivate an SSO user

Deactivate/reactivate a user via your identity provider.

How did we do?

Powered by HelpDocs (opens in a new tab)