Enable single sign-on (SSO) for your users

Configure single sign-on (SSO) on your account to enable your users to login to PassFort using their credentials for their identity provider (like Azure Active Directory, Google SSO, and more).

Getting SSO for your PassFort account

SSO can be purchased as an optional feature. Contact your account manager to learn more - we'll be happy to help.

This will be the process:

  1. You'll need to create an app on your identity provider for a SAML 2.0 connection (contact your identity provider for more information about how to do this).
  2. If you would like to assign permissions to your users automatically based on their identity provider groups, create a single custom attribute for your users that contains the list of each user's group IDs. The IDs need to be sent in a way that we can map it to a comma separated list of strings.
  3. Please provide us with the accepted domain(s) from which your users will be signing in.

    We'll also need the following information about the app you created in step 1:
    1. Identity provider issuer URI
    2. Identity provider single sign-on URL
    3. Identity provider signature certificate (using SHA-256)
    4. Destination URL (optional)
    Please also provide the names of the user attributes you're using on your identity provider so we can map them:
    1. email address (e.g. subjectNameId)
    2. first name
    3. last name
    4. custom teams (optional)
  4. We'll complete the configuration on our side, and send you some metadata so you can complete the configuration on your side.
By default, all your users will login using SSO. If you'd like a user to have a regular login experience without SSO, add them by following the standard steps to add a user.

Adding a whitelist

When you enable whitelisting, only requests coming from an IP address that's on your authorised list will be able to log into your account's Portal and make calls to your API.

If you'd like to use whitelisting, you should enable it through PassFort's IP whitelisting area and avoid using Okta's whitelisting feature. Otherwise, both whitelists will apply for SSO logins and unexpected behaviour may occur.

Logging in with SSO

When you have SSO configured on your account, your users will be able to log in with your identity provider with the Use Single Sign On (SSO) option on the login screen.

Each time a user logs in, their name and teams are updated with the details from your identity provider.

If the user is logging in for the first time, their email address will be added to your PassFort account, making them a PassFort user that you can see and manage from the User Management tab.

If the user belongs to any groups on your identity provider and you've linked those groups to PassFort teams, the user will be added to the teams automatically. They'll be able to access the areas of your account based on the team roles.

If the user does not belong to any groups or if you haven't linked the groups to PassFort teams, the user won't have any user roles or team roles when their account is created. This means they won't be able to access any area of your PassFort account until you manually assign roles from the User Management tab.
Users are signed out of PassFort automatically after 30 minutes of inactivity.

Don't have SSO yet?

If you have not enabled SSO, you can create accounts for your users via PassFort's User Management tab, using exactly the same email addresses you plan to use for SSO. Remember to assign user roles or team roles so they have access to the appropriate areas of PassFort.

Users will be able to use the Email and Password fields on the login screen.

When you're ready to enable SSO, check the User Management tab to ensure:

Once this is done and you have SSO enabled, ask your users to log in with the Use Single Sign on (SSO) option.

When a user logs in with SSO, their login credentials are converted to SSO. From this point forward, the user must always log into PassFort using their SSO details. If they try to log in with the Email and Password fields, they'll see a message that says Email address or password did not match. Try again, or contact us for help.

The user will be automatically added to any PassFort teams which are linked to identity provider groups enabled for their SSO account. They'll be able to access the areas of your account based on the team roles. Any pre-existing teams and roles are removed.

Where possible, we recommend using identity provider groups linked to PassFort teams. However, if the user does not have groups assigned to them or those groups have not been linked to PassFort teams, the user will keep the same teams and roles that they had before SSO.
Activity within the PassFort account (including audit history) is not affected by the change to login credentials.

Managing users with SSO enabled

You can see all users in PassFort by going to User Management > Users.

The SSO users have SSO enabled displayed next to their name.

Manage roles for users with SSO

Roles determine what users can see and do in PassFort.

For example, you could have a Compliance officer role that provides users with the access to onboard and monitor all products or an Institution admin role that provides users with access to the Billing area.

Roles can be assigned on a team basis or a per-user basis.

By default, new SSO users on your account won't have any roles, which means they won't have access to any area of your account.

Assigning roles automatically

To assign roles to SSO users automatically, link the groups on your identity provider to teams in PassFort and add team roles.

When an SSO user creates an account, they'll be added to any teams linked to their identity provider groups and assigned the team roles accordingly.

Each time the user logs in after that, their teams will be updated to reflect any groups they've been added to or removed from on your identity provider.

To create a linked team, follow these steps to add a team and ensure you include these options:

  • In the External team ID field, add your identity provider group's ID or name. Note that these are case-sensitive.
  • In the Team roles field, add the roles you want to assign to users from the identity provider group.
Assigning roles manually

To manually assign roles to a user that are independent of a team:

  1. Go to User management > Users.
  2. Select the user.
  3. Add the roles to the User roles field.
It is not possible to assign teams via the Team roles field from here. To manage teams, see the steps above for Assigning roles automatically.

Change an SSO user's password

Change a user's password via your identity provider.

Deactivate/reactivate an SSO user

You should deactivate and reactivate users via your identity provider and also via PassFort. Follow these steps to deactivate or reactivate a user via PassFort.

How did we do?

Powered by HelpDocs (opens in a new tab)