Single Sign-On (SSO)
Single Sign-On is an authentication protocol that allows you to sign in to multiple applications one centralized authentication. Front supports Single Sign-On (SSO) using any SAML-based Identity Provider (IDP).
We have setup guides for specific identity IDPs below:
Enabling Single Sign-On
- You will need administrative access to your respective IDP
- You must be a Company Admin in Front
- You must have the Enterprise plan with Front
Enable Single Sign-On in Front
Go into your Settings, select Preferences, and Single Sign On. Use the dropdown box to select SAML.
By selecting the SAML option, Front will automatically provide the values you need to add Front as a SAML 2.0 Service Provider to your Identity Provider:
- Entity ID: the identifier of our Service Provider.
- ACS URL: the URL of our Service Provider which will receive the SAML assertions.
- Name ID Format: the format of the name ID to use in SAML assertions.
- Encryption certificate: the certificate to encrypt SAML assertions.
Front will ask you to provide:
- Entry point: corresponding to your Identity Provider URL which will receive authentication requests.
- Signing certificate: to verify the signature of the responses received by our Service Provider.
This is currently the only option available to enable SSO in Front.
Updating the SSO certificate
Making changes to your team’s SSO configuration doesn’t invalidate existing sessions or log teammates out, but it will affect any new sign-on. Before proceeding:
Keep a copy of the certificate you’re replacing in case the new one is invalid.
Keep one admin session signed in while testing the new certificate to avoid being locked out.
Update the SSO certificate
Go into your Settings, select Preferences, and Single Sign On.
Update the Signing certificate and click Save.
Test sign-on with another account.
How is this different than the Sign in with Google / Office 365 option that displays on the login page?
The options on our login page (pictured below) utilize the OAuth standard similar to when you click "Sign in with Google" on any other website. The configuration described in this article is for a SAML-based authentication. If you are interested in signing in with SSO using OAuth simply select the "Sign in with Google" or "Sign in with Office 365" options on the login page.
Can I enable SSO just for a few users?
No. SSO can only be enabled at the company level and will require all users to authenticate using their IDP from that point forward.
Will users be logged out once I enable SSO?
Users are not automatically logged out by enabling SSO. Once you enable SSO upon a user's next login attempt they will be redirected to your SSO provider (as shown below). While a user will not be forced to log out of their existing session, they may encounter a session timeout if their idle time matches your company settings.
Does my email address configured in Front need to match the email in my identity provider?
Generally speaking, yes. Some providers give you the ability to configure custom mappings however such that the email address associated with your user profile in Front may not need to match the one configured in your IDP. It is recommended that you ensure each user's login email is updated to match your IDP before enabling SSO.
Can I sign in through any other URLs if I can't access my identity provider?
We do not provide a backup log-in URL where users can sign-in using their normal username and password. If you are unable to access the platform and have enabled SSO through an IDP, please contact us.
Which Azure Subscription would enable us to use Front's SSO?
All versions of AAD support SSO, the only difference would be the number of SSO integrations you can have on your side - 10 vs unlimited. You can find more information here. Once Front supports SCIM user provisioning that functionality would only be accessible on Azure's Premium 1 or Premium 2 plans.
Do you support user provisioning through an IDP as well?
At this time user provisioning is fully supported for Okta. For more information on how to set this up see User provisioning with Okta.