OIDC or SAML
OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) are authentication protocols used when configuring SSO. We currently support both these options but we recommend OIDC and the guides below describe the OIDC setup process through different Identity Providers.Microsoft Entra ID (formerly Azure Active Directory)
- Before proceeding, verify that you have an active Microsoft Entra ID account with Admin privileges.
- Name: Upflow SSO
- Select: Single tenant
- Redirect URI: Select Web and enter:
Register Upflow as a new app: App registration → New registration

- Navigate to the Upflow SSO application settings, and create a new app secret:
Certificates & secrets → New client secret- Record the Value field which serves as the
client_secret
- Record the Value field which serves as the
- Go to API permissions and make sure the User.Read permission under Microsoft Graph is granted to the application.

- Go back to the Overview page
- Record the Application ID which serves as the
client_id
- Record the Directory (tenant) ID, which can be used to generate the
issuerURL: https://login.microsoftonline.com/[tenant]/v2.0/-ID.png?fit=max&auto=format&n=kPGo3bTeqqUpqZZQ&q=85&s=31979ef81a6caed27a98caaef745e56c)
- Record the Application ID which serves as the
- Identity Provider
- Application ID (
client_id) - Application Secret (
client_secret) - Complete
issuerURL (which will include the Tenant ID) Email domain
Okta
- The Admin user must be signed in to the Okta Admin Console.
- Once there, go to
Applications>Applications>Create App Integration
- Create a new
App Integration, then select:- Sign-in method: OIDC
- Application type: Web Application

- Enter the following settings in the subsequent
New Web App Integrationpanel:- App integration name: Upflow SSO
- Grant type: Authorization Code
- Sign-in redirect URIs:
- Sign-out redirect URIs:

- Assignments (optional): The default option lets you assign and grant access to Upflow for everyone in your Okta org.
If you would like to have more fine-grained access control over which users can access the Upflow application, you can select Controlled access and identify authorized group(s). As an alternative, groups and users can also be later authorized individually in the application settings page.
* Please note that users will still have to be invited in your Upflow account to be able to enter the
Upflow application. 6. After hitting Save, the following application settings panel will display the following parameters which will to be securely transmitted to Upflow:
- the
client_id(Client ID) - the
client_secret(Secret)

- the
issuercan be found in the top right corner of the window, right below your email address
client_idclient_secret- Complete
issuerURL Identity ProviderEmail domain
SAML
OIDC is our recommended authentication protocol. If you do choose to proceed with SAML, the steps for this process are outlined below:- Register a new app on your Identity Provider which will grant access to the Upflow application to read and verify the identity (email) of authenticating users. You’ll need the following Redirect URL:
- Finally, open secrets.upflow.io and add the following information to the Editor field to send the following details through. Then send us the link via a Support request at the top of this article:
idpEntityIdssoURLrpEntityIdx509Certificates- Email domain name which will be used to sign in (e.g. “example.com”)
Here’s how it should be formatted:
idpEntityId <put idpEntityId here> ssoURL <put ssoURL here> rpEntityId <put rpEntityId here> x509Certificates <put x509Certificates here>
FAQ
Does Upflow support Google SSO?- Yes, Upflow offers Google SSO support.
- No, a single SSO configuration can be applied on both accounts. Submit a Support request at the top to ensure the configuration is ported over.
However, if SSO is set up in Production, it won’t be ported over the sandbox environment. You’ll then have to either:
- Create a new SSO separate project for the sandbox environment
- Regenerate/rotate the secret on the same SSO project you created for your Upflow production environment, and send us the related information, so we can update it on our end. Your team’s access to Upflow can therefore be temporarily impacted.
- No. Once SSO is enabled on your Upflow account, the activation occurs at the domain level and all users MUST sign in via SSO. All other Upflow authentication methods are disabled.
- (SCIM) User Provisioning is not currently supported through Upflow.
- MFA is not currently supported through Upflow.
- Just-In-Time (JIT) provisioning is not currently supported through Upflow.
- Yes, please submit a Support request at the top to process this configuration.