Single Sign-On (SSO)

Single Sign-On (SSO) is an authentication mechanism that allows users to access multiple applications using a single ID and password. Flow provides Single Sign-On. Enabling SSO for your Flow organization allows the users of your organization to use your corporate identity provider (IdP) credentials to log in to Flow. Once the IdP authenticates the users, it informs Flow about it, which in turn, lets the users access the organization without having to sign in using their Flow credentials.  

This makes the login process easier, faster and more secure for your users.

How SSO works with Flow

The user authentication part is handled by the IdP. Whenever a user tries to access an SSO-enabled organization, he/she will be redirected to the ‘IdP Sign-In’ page, where the user is required to authenticate using IdP credentials. Once this is done, the user is given secure access to the relevant organization in Flow. Flow uses one of the most popular open standards, i.e., Security Assertion Markup Language 2.0 (SAML 2.0) for SSO and can be integrated with any IdP that supports SAML 2.0. Some of the popular SAML 2.0-based IdPs are Okta, OneLogin, Azure AD, AD FS, and Google G Suite.

Setting up SSO for Organizations

ou can integrate Flow SSO with any identity provider (IdP) that supports SAML 2.0 protocol. This section covers the detailed steps to enable SSO for your organization.


In order to set up SSO for your organization, make sure you have:

- Access to your identity provider’s configuration settings

- Admin rights for your organization

Steps to enable SSO for organizations

Let's go through the steps involved in setting up SSO for an organization:

Step 1: Create Entity ID for organization

1. Log in to your Flow account. Navigate to the ‘Organization Settings’ page of the organization for which you want to enable SSO and click on the ‘SINGLE SIGN-ON’ menu given in the left-hand side panel. 

sso page.png

A new screen will appear where you can view and modify the SSO settings for your organization. 

2. Notice that some of the fields have pre-configured values. Let’s understand what these fields are: 

- Assertion Consumer Service (ACS) URL: This is the location where the SAML assertion is sent with an HTTP POST and is unique for each organization. This is generated by Flow automatically. You need to use this URL in your IdP settings while configuring SSO (details covered in Step 2).

- Identifier Format: This is the format that is used by your IdP to uniquely identify the user. Flow supports only ‘EmailAddress’ as an identifier format, hence, you need to set the value of ‘NameID Format’ to ‘EmailAddress’ in your IdP settings as well.

sso 2.png

3. Next, provide a unique ‘Entity ID’ to be associated with your organization. Please ensure that the same entity ID is used in your ‘IdP Settings’ under the ‘Entity ID’ or ‘SP Entity ID’ field. 

Note: Keep this window open, as you will need these details for setting up Flow app in your IdP in the next step.

Step 2: Setup Flow app in your IdP

1. Login to your Idp account.

2. Create a new application (also known as app or connector in some IdPs) with a unique name. For example, ‘ Flow’.

3. In the SAML settings, provide the following details:

- Single Sign-on URL: Enter the ‘ACS URL’ of your Flow organization (as seen in Step 1.2)

- Entity ID: Enter the ‘Entity ID’ of your Flow organization (as seen in Step 1.2). 

- Note: The name of this field may be different in some Idps. For example, ‘SP Entity ID’, ‘Audience URI’.

- NameID Format: This is the format that is used by the IdP to uniquely identify the users. Set the value for this field to ‘EmailAddress’.

4. Next, add required users to this app using the ‘Add People’, ‘Add Users’ or such similar options. Here, you can define who (from the list of all users of your IdP) gets to access the Flow organization through SSO. 

5. Once you have entered these details and saved the settings, you will receive the ‘IdP Single Sign-on URL’, x.509 certificate/Public Key Certificate and Private Key Certificate for the app. Save the URL and download the certificate, as you will need it in the step 3 for configuring IdP details in your Flow organization. 

Step 3: Configure IdP details in your organization

1. Switch back to the ‘ Flow - Organization SSO Settings’ window. 

2. In the ‘Single Sign-On URL’ field, enter the ‘IdP Single Sign-On URL’ received from your IdP, in Step 2. 

3. Select the ‘Signature Algorithm’ used by your IdP

4. In the ‘Public Key Certificate’ field, upload the X.509 or the ‘Public Key’ certificate received from your IdP, in the previous step. 

5. In the ‘Private Key Certificate’ field, upload the ‘Private Key Certificate’ received from your IdP, in the previous step. 

6. In the ‘Session Duration’ field, specify the duration (in hours) after which the SSO user session should expire. The duration should be same or lesser than as the session duration defined in your IdP. 

set sso.png

Once you have entered these details, click on ‘SAVE’. This will save your SSO settings. 

Step 4: Test and Enable SSO for your organization

Test SSO

1. Once you have saved the SSO settings, a new window will appear where you can see two options: ‘Enable SSO’ and ‘Test’.

test and enable.png

2. Click on the ‘Test’ button. A new ‘IdP sign-in’ window will appear where you need to enter your IdP credentials. If you are able to sign-in to using your IdP credentials, then the test is successful. You can then proceed to enabling SSO for your organization. 

Note: It is highly recommended that you test your SSO settings before enabling it. 

Enable SSO

Click on the ‘Enable SSO’ button to enable SSO for your organization. Once enabled, all the users of your organization will be able to access it through SSO, instead of their Flow credentials. 

Disable SSO

Once you have enabled SSO, you will notice that the ‘Enable SSO’ button changes to ‘Disable SSO’, in your SSO Settings page. 

disable button.png

You can disable SSO for your organization anytime by clicking in this button. Once the SSO is disabled, all the users of your organization can access it using their Flow/Google login credentials.

Signing in to SSO-enabled organization

nce SSO has been enabled for an organization, users will need to use the organization name and their IdP credentials to access the organization. (The Organization owner, however, can access the organization using his Flow credentials as well as IdP credentials). Let’s look at the steps involved in accessing an SSO-enabled organization. 

1. When you hit your organization access URL, a new window will appear where you will be prompted to enter the name of the organization you want to access. 


2. Enter these details, and click on ‘Sign in’, you will be redirected to your IdP window.


3. Once you have entered your IdP credentials, and signed in, you will be redirected to your organization dashboard.