Single Sign On (SSO) allows users to securely sign on to Upflow and other applications in use at your business with a single set of credentials. Below you'll find a rundown of the process and the steps involved in deploying this authentication method for Upflow.
OIDC or SAML
OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) are authentication protocols used when configuring SSO. We currently support both these options but we recommend OIDC and the guides below describe the OIDC setup process through different Identity Providers.
-
Microsoft Entra ID (formerly Azure Active Directory)
- Before proceeding, verify that you have an active Microsoft Entra ID account with Admin privileges.
- Name: Upflow SSO
- Select: Single tenant
- Redirect URI: Select Web and enter:
https://auth.upflow.io/__/auth/handler
Register Upflow as a new app: App registration → New registration
Record the Application ID which serves as theclient_id
-
Navigate to the Upflow SSO application settings, and create a new app secret:
Certificates & secrets → New client secret- Record the Value field which serves as the
client_secret
- Record the Value field which serves as the
-
Go to API permissions and make sure the User.Read permission under Microsoft Graph is granted to the application.
-
Go back to the Overview page
- Record the Directory (tenant) ID which can be used to generate the
issuer
URL:https://login.microsoftonline.com/[tenant]/v2.0/
- Record the Directory (tenant) ID which can be used to generate the
-
Reach out to Upflow Support so that we can complete the process on our end. We'll provide a secure channel for you to send the following details through:
-
Application ID (
client_id
) -
Application Secret (
client_secret
) -
Tenant ID (part of
issuer
URL)
-
- Before proceeding, verify that you have an active Microsoft Entra ID account with Admin privileges.
-
Okta
- The Admin user must be signed in to the Okta Admin Console.
-
Once there, go to
Applications
>Applications
>Create App Integration
-
Create a new
App Integration
, then select:- Sign-in method: OIDC
- Application type: Web Application
-
Enter the following settings in the subsequent
New Web App Integration
panel:- App integration name: Upflow SSO
- Grant type: Authorization Code
- Sign-in redirect URIs:
https://auth.upflow.io/__/auth/handler
- Sign-out redirect URIs:
https://app.upflow.io/
5. Assignments (optional): The default option lets you assign and grant access to Upflow for everyone in your Okta org.
If you would like to have more fine-grained access control over which users can access the Upflow application, you can select Controlled access and identify authorized group(s). As an alternative, groups and users can also be later authorized individually in the application settings page.
* Please note that users will still have to be invited in your Upflow account to be able to enter the Upflow application.6. After hitting Save, the following application settings panel will display the following parameters which will to be securely transmitted to Upflow:
- the
client_id
(Client ID) - the
client_secret
(Secret)
- the
issuer
can be found in the top right corner of the window, right below your email address
-
Reach out to Upflow Support so that we can complete the process on our end.
We'll provide a secure channel for you to send the following details through:-
client_id
-
client_secret
-
issuer
-
SAML
OIDC is our recommended authentication protocol. If you do choose to proceed with SAML, the steps for this process are outlined below:
- Register a new app on your Identity Provider which will grant access to the Upflow application to read and verify the identity (email) of authenticating users.
You'll need the following Redirect URL:https://auth.upflow.io/__/auth/handler
-
Reach out to Upflow Support so that we can complete the process on our end.
We'll provide a secure channel for you to send the following parameters of the newly registered app:-
idpEntityId
-
ssoURL
-
rpEntityId
-
x509Certificates
- Email domain name which will be used to sign in (e.g. “example.com”)
-
FAQ
-
Does Upflow support Google SSO?
Yes, Upflow offers Google SSO support. -
If I set up SSO on my Upflow sandbox account, do I have to do it again on my production account?
No, a single SSO configuration can be applied on both accounts. Reach out to Upflow Support to ensure the configuration is ported over. -
If SSO is enabled on my Upflow account, can some of our users still sign on with their email and Upflow password?
No. Once SSO is enabled on your Upflow account, the activation occurs at the domain level and all users MUST sign in via SSO. All other Upflow authentication methods are disabled. -
Does Upflow support (SCIM) User Provisioning?
(SCIM) User Provisioning is not currently supported through Upflow. -
Does Upflow support multi-factor authentication (MFA)?
MFA is not currently supported through Upflow. -
Does Upflow support Just-In-Time (JIT) provisioning?
Just-In-Time (JIT) provisioning is not currently supported through Upflow. -
Is Upflow able to support an SSO setup with 2 different domains?
Yes, please reach out to Upflow Support to process this request.