Skip to main content

About single sign-on (SSO)

Configure SSO on your account to enable your users to sign in to Passfort using their credentials for their identity provider; like Azure Active Directory, Google SSO, and more.

The SSO setup process

SSO is an optional feature. Contact your account manager to learn more.

This will be the process:

  1. You'll need to create an app on your identity provider for a SAML 2.0 connection. Contact your identity provider for more information about how to do this.

  2. If you would like to assign permissions to your users automatically based on their identity provider groups, create a single custom attribute for your users that contains the list of each user's group IDs. The IDs need to be sent in a way that we can map them to a comma-separated list of strings.

  3. Provide us with the accepted domains from which your users will sign in.

    We'll also need the following information about the app you created previously:

    • Identity provider issuer URL

    • Identity provider single sign-on URL

    • Identity provider signature certificate (using SHA-256)

    • Destination URL (optional)

    You'll also need to provide the names of the user attributes you're using on your identity provider so we can map them:

    • email address, for example, subjectNameId

    • first name

    • last name

    • custom teams (optional)

    We'll complete the configuration on our side, and send you some metadata so you can complete the configuration on your side.

Note

By default, all your users will sign in using SSO. If you'd like a user to have a regular sign-in experience without SSO, add them by following the standard steps to add a user.

Allow lists with SSO

When you enable allow-listing, only requests coming from an IP address that's on your authorized list will be able to sign into your account's portal and make calls to your API.

If you'd like to use allow listing, you should enable it through Passfort's IP allow listing area and avoid using Okta's allow-listing feature. Otherwise, both allow lists will apply for SSO sign-ins, and unexpected behavior may occur.

SSO logins

When SSO is configured on your account, your users can sign in with your identity provider with the Use Single Sign On (SSO) option on the sign-in screen.

Each time a user signs in, their name and teams are updated with the details from your identity provider.

If the user is signing in for the first time, their email address will be added to your Passfort account, making them a Passfort user that you can see and manage from the User Management tab.

If the user belongs to any groups on your identity provider and you've linked those groups to Passfort teams, the user will be added to the teams automatically. They'll be able to access the areas of your account based on the team roles.

Caution

If the user does not belong to any groups or if you haven't linked the groups to Passfort teams, the user won't have any user roles or team roles when their account is created. This means they won't be able to access any area of your Passfort account until you manually assign roles from the User Management tab.

Users are signed out of Passfortautomatically after 30 minutes of inactivity.

Users and SSO logins

If you have not enabled SSO, you can create accounts for your users from Passfort's User Management tab, using exactly the same email addresses you plan to use for SSO. Remember to assign user roles or team roles so they can access the appropriate areas of Passfort.

Users can use the Email and Password fields on the sign-in screen.

When you're ready to enable SSO, check the User Management tab to ensure:

Once this is done and you have SSO enabled, ask your users to log in with the Use Single Sign on (SSO) option.

When a user signs in with SSO, their sign-in credentials are converted to SSO. From this point forward, the user must always sign into Passfort using their SSO details. If they try to sign in with the Email and Password fields, they'll see a message that says Email address or password did not match. Try again, or contact us for help.

The user will be automatically added to any Passfort teams that are linked to identity provider groups enabled for their SSO account. They'll be able to access the areas of your account based on the team roles. Any pre-existing teams and roles are removed.

Where possible, we recommend using identity provider groups linked to Passfort teams. However, if the user does not have groups assigned to them or those groups have not been linked to Passfort teams, the user will keep the same teams and roles that they had before SSO. Activity within the Passfort account, including audit history, is not affected by the change to login credentials.

Note

SSO user passwords, as well as the reactivation and deactivation of SSO users, are managed by your identity provider.

Users with SSO enabled

You can see all users in Passfort by going to User Management > Users.

The SSO users have SSO enabled displayed next to their name.

User with SSO enabled

Roles and SSO users

Roles determine what users can see and do in Passfort.

For example, you could have a Compliance officer role that provides users with access to onboard and monitor all products.

Roles can be assigned on a team basis or a per-user basis.

By default, new SSO users on your account won't have any roles, which means they won't have access to any area of your account.

Assign roles automatically

To assign roles to SSO users automatically, link the groups on your identity provider to teams in Passfort and add team roles.

When an SSO user creates an account in Passfort, they'll be added to any teams linked to their identity provider groups and assigned the team roles accordingly.

Each time the user signs in after that, their teams will be updated to reflect any groups they've been added to or removed from on your identity provider.

Assign roles manually

To manually assign roles to a user that are independent of a team:

  1. Go to User management > Users.

  2. Select the user.

  3. Add the roles to the User roles field.

It is not possible to assign teams via the Team roles field from here. To manage teams, see the steps for assigning roles automatically.

Additional information