> ## Documentation Index
> Fetch the complete documentation index at: https://docs.upflow.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Enabling single sign on (SSO) for your Upflow users

> Deploy SSO for Upflow using OIDC or SAML through identity providers like Microsoft Entra ID so your users sign in with one set of corporate credentials.

**Single Sign On (SSO)** allows users to securely sign on to Upflow and other applications in use at your business with a single set of credentials. Below you'll find a rundown of the process and the steps involved in deploying this authentication method for Upflow.

## OIDC or SAML

OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) are authentication protocols used when configuring SSO. We currently support both these options but we *recommend* OIDC and the guides below describe the OIDC setup process through different Identity Providers.

### Microsoft Entra ID (formerly Azure Active Directory)

1. Before proceeding, verify that you have an active Microsoft Entra ID account with Admin privileges.
   * Name: *Upflow SSO*
   * Select: *Single tenant*
   * Redirect URI: Select *Web* and enter:
     ```auto theme={null}
     https://auth.upflow.io/__/auth/handler
     ```
     Register Upflow as a new app: *App registration → New registration*
     <Frame>
       <img src="https://mintcdn.com/upflow-04dc27cd/kPGo3bTeqqUpqZZQ/images/Entra-Azure---App-registration-%E2%86%92-New-registration-1.png?fit=max&auto=format&n=kPGo3bTeqqUpqZZQ&q=85&s=4a5974848c31c56f159d717e0c0dd720" alt="Entra Azure App Registration → New Registration 1" width="2000" height="1535" data-path="images/Entra-Azure---App-registration-→-New-registration-1.png" />
     </Frame>
2. Navigate to the *Upflow SSO* application settings, and create a new app secret: \
   *Certificates & secrets* → *New client secret*
   * Record the Value field which serves as the `client_secret`\
     \
      
3. Go to *API permissions* and make sure the [*User.Read*](http://User.Read) permission under Microsoft Graph is granted to the application.
   <Frame>
     <img src="https://mintcdn.com/upflow-04dc27cd/kPGo3bTeqqUpqZZQ/images/Entra-Azure---API-permissions.png?fit=max&auto=format&n=kPGo3bTeqqUpqZZQ&q=85&s=cb554da9dc475ad82e259b9f5155ab20" alt="Entra Azure API Permissions" width="2626" height="516" data-path="images/Entra-Azure---API-permissions.png" />
   </Frame>
   \
    
4. Go back to the *Overview* page
   1. Record the Application ID which serves as the `client_id`
      <Frame>
        <img src="https://mintcdn.com/upflow-04dc27cd/kPGo3bTeqqUpqZZQ/images/Entra-Azure---client-application-ID.png?fit=max&auto=format&n=kPGo3bTeqqUpqZZQ&q=85&s=92bf34ab6edf6adf08adfdab16639bf6" alt="Entra Azure Client Application ID" width="1140" height="728" data-path="images/Entra-Azure---client-application-ID.png" />
      </Frame>
   2. Record the Directory (tenant) ID, which can be used to generate the `issuer` URL: [https://login.microsoftonline.com/\[tenant\]/v2.0/](https://login.microsoftonline.com/\[tenant]/v2.0/)
      <Frame>
        <img src="https://mintcdn.com/upflow-04dc27cd/kPGo3bTeqqUpqZZQ/images/Entra-Azure---Directory-(tenant)-ID.png?fit=max&auto=format&n=kPGo3bTeqqUpqZZQ&q=85&s=31979ef81a6caed27a98caaef745e56c" alt="Entra Azure Directory (tenant) ID" width="1140" height="728" data-path="images/Entra-Azure---Directory-(tenant)-ID.png" />
      </Frame>

Once it is done, open [secrets.upflow.io](https://secrets.upflow.io/) and add the following information to the Editor field to send the following details through and send the link via a Support request at the top of this article:

* Identity Provider
* Application ID (`client_id`)
* Application Secret (`client_secret`)
* Complete `issuer` URL (which will include the Tenant ID)
* `Email domain`

### Okta

1. The Admin user must be signed in to the Okta Admin Console.
2. Once there, go to `Applications` > `Applications` > `Create App Integration`
   <Frame>
     <img src="https://mintcdn.com/upflow-04dc27cd/kPGo3bTeqqUpqZZQ/images/Okta---Create-App-Integration.png?fit=max&auto=format&n=kPGo3bTeqqUpqZZQ&q=85&s=2839f4966831d5f3ffaeacb6104f51e8" alt="Okta Create App Integration" width="1576" height="630" data-path="images/Okta---Create-App-Integration.png" />
   </Frame>
3. Create a new `App Integration`, then select:
   * Sign-in method: *OIDC*
   * Application type: *Web Application*
   <Frame>
     <img src="https://mintcdn.com/upflow-04dc27cd/kPGo3bTeqqUpqZZQ/images/Okta---App-Integration.png?fit=max&auto=format&n=kPGo3bTeqqUpqZZQ&q=85&s=dc06dc3c95db84b5fffcfa496e75d8b7" alt="Okta App Integration" width="945" height="806" data-path="images/Okta---App-Integration.png" />
   </Frame>
4. Enter the following settings in the subsequent `New Web App Integration` panel:
   * App integration name: *Upflow SSO*
   * Grant type: *Authorization Code*
   * Sign-in redirect URIs:
     ```auto theme={null}
     https://auth.upflow.io/__/auth/handler
     ```
   * Sign-out redirect URIs:
     ```auto theme={null}
     https://app.upflow.io/
     ```
   <Frame>
     <img src="https://mintcdn.com/upflow-04dc27cd/kPGo3bTeqqUpqZZQ/images/Okta---New-Web-App-Integration-panel.png?fit=max&auto=format&n=kPGo3bTeqqUpqZZQ&q=85&s=ab1fc5413488212771e735a50be0a899" alt="Okta New Web App Integration Panel" width="854" height="846" data-path="images/Okta---New-Web-App-Integration-panel.png" />
   </Frame>
   5. Assignments *(optional)*: The default option lets you assign and grant access to Upflow for everyone in your Okta org.\
      \
      If you would like to have more fine-grained access control over which users can access the Upflow application, you can select *Controlled access* and identify authorized *group(s)*. As an alternative, groups and users can also be later authorized individually in the application settings page.\
      \
      **\* Please note that users will still have to be invited in your Upflow account to be able to enter the**
   <Frame>
     <img src="https://mintcdn.com/upflow-04dc27cd/kPGo3bTeqqUpqZZQ/images/Okta---Assignments.png?fit=max&auto=format&n=kPGo3bTeqqUpqZZQ&q=85&s=0af47619693271fae8ff0e17b798a9c2" alt="Okta Assignments" width="880" height="308" data-path="images/Okta---Assignments.png" />
   </Frame>
   **Upflow application.** 6. After hitting Save, the following application settings panel will display the following parameters which will to be securely transmitted to Upflow:
   * the `client_id` (Client ID)
   * the `client_secret` (Secret)
   <Frame>
     <img src="https://mintcdn.com/upflow-04dc27cd/kPGo3bTeqqUpqZZQ/images/Okta---Client-Credentials.png?fit=max&auto=format&n=kPGo3bTeqqUpqZZQ&q=85&s=f55f5edd5e4e30ce92b6d5fcc1f88834" alt="Okta Client Credentials" width="688" height="587" data-path="images/Okta---Client-Credentials.png" />
   </Frame>
   * the `issuer` can be found in the top right corner of the window, right below your email address

Finally, open [secrets.upflow.io](https://secrets.upflow.io) and add the following information to the Editor field to send the following details through. Then send us the link via a Support request at the top of this article:

* `client_id`
* `client_secret`
* Complete `issuer` URL
* `Identity Provider`
* `Email domain`

### SAML

OIDC is our recommended authentication protocol. If you do choose to proceed with SAML, the steps for this process are outlined below:

1. Register a new app on your Identity Provider which will grant access to the Upflow application to read and verify the identity (email) of authenticating users. You'll need the following Redirect URL:
   ```text theme={null}
   https://auth.upflow.io/__/auth/handler
   ```
2. Finally, open [secrets.upflow.io](https://secrets.upflow.io) and add the following information to the Editor field to send the following details through. Then send us the link via a Support request at the top of this article:
   * `idpEntityId`
   * `ssoURL`
   * `rpEntityId`
   * `x509Certificates`
   * Email domain name which will be used to sign in (e.g. “[example.com](http://example.com)”)
     #### Here's how it should be formatted:
     idpEntityId \<put idpEntityId here> ssoURL \<put ssoURL here> rpEntityId \<put rpEntityId here> x509Certificates \<put x509Certificates here>

### FAQ

**Does Upflow support Google SSO?**

* Yes, Upflow offers [Google SSO support](/en-us/technical-documentation/sso/enforce-sign-in-with-google).

**If I set up SSO on my Upflow sandbox account, do I have to do it again on my production account?**

* No, a single SSO configuration can be applied on both accounts. Submit a Support request at the top to ensure the configuration is ported over.

<Info>
  However, if SSO is set up in Production,  it won't be ported over the sandbox environment. You'll then have to either:

  * Create a new SSO separate project for the sandbox environment
  * Regenerate/rotate the secret on the same SSO project you created for your Upflow production environment, and send us the related information, so we can update it on our end. Your team's access to Upflow can therefore be temporarily impacted.
</Info>

**If SSO is enabled on my Upflow account, can some of our users still sign on with their email and Upflow password?**

* No. Once SSO is enabled on your Upflow account, the activation occurs at the domain level and all users MUST sign in via SSO. All other Upflow authentication methods are disabled.

**Does Upflow support (SCIM) User Provisioning?**

* (SCIM) User Provisioning is not currently supported through Upflow.

**Does Upflow support multi-factor authentication (MFA)?**

* MFA is not currently supported through Upflow.

**Does Upflow support Just-In-Time (JIT) provisioning?**

* Just-In-Time (JIT) provisioning is not currently supported through Upflow.

**Is Upflow able to support an SSO setup with 2 different domains?**

* Yes, please submit a Support request at the top to process this configuration.
