Single Sign On (SSO) allows users to securely sign on to Upflow and other applications in use at your business with a single set of credentials. Below you'll find a rundown of the process and the steps involved in deploying this authentication method for Upflow.
OIDC or SAML
OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) are authentication protocols used when configuring SSO. We currently support both these options but we recommend OIDC and the guides below describe the OIDC setup process through different Identity Providers.
-
Microsoft Entra ID (formerly Azure Active Directory)
- Before proceeding, verify that you have an active Microsoft Entra ID account with Admin privileges.
- Name: Upflow SSO
- Select: Single tenant
- Redirect URI: Select Web and enter:
https://auth.upflow.io/__/auth/handler
Register Upflow as a new app: App registration → New registration
Record the Application ID which serves as theclient_id
-
Navigate to the Upflow SSO application settings, and create a new app secret:
Certificates & secrets → New client secret- Record the Value field which serves as the
client_secret
- Record the Value field which serves as the
-
Go to API permissions and make sure the User.Read permission under Microsoft Graph is granted to the application.
-
Go back to the Overview page
- Record the Directory (tenant) ID which can be used to generate the
issuer
URL:
https://login.microsoftonline.com/[tenant]/v2.0/
- Record the Directory (tenant) ID which can be used to generate the
-
Once it is done, open secrets.upflow.io and add the following information to the Editor field to send the following details through and send the link via a Support request at the top of this article:
- Identity Provider
-
Application ID (
client_id
) -
Application Secret (
client_secret
) -
Complete
issuer
URL (which will include the Tenant ID) Email domain
- Before proceeding, verify that you have an active Microsoft Entra ID account with Admin privileges.
-
Okta
- The Admin user must be signed in to the Okta Admin Console.
-
Once there, go to
Applications
>Applications
>Create App Integration
-
Create a new
App Integration
, then select:- Sign-in method: OIDC
- Application type: Web Application
-
Enter the following settings in the subsequent
New Web App Integration
panel:- App integration name: Upflow SSO
- Grant type: Authorization Code
- Sign-in redirect URIs:
https://auth.upflow.io/__/auth/handler
- Sign-out redirect URIs:
https://app.upflow.io/
5. Assignments (optional): The default option lets you assign and grant access to Upflow for everyone in your Okta org.
If you would like to have more fine-grained access control over which users can access the Upflow application, you can select Controlled access and identify authorized group(s). As an alternative, groups and users can also be later authorized individually in the application settings page.
* Please note that users will still have to be invited in your Upflow account to be able to enter the Upflow application.6. After hitting Save, the following application settings panel will display the following parameters which will to be securely transmitted to Upflow:
- the
client_id
(Client ID) - the
client_secret
(Secret)
- the
issuer
can be found in the top right corner of the window, right below your email address
- The Admin user must be signed in to the Okta Admin Console.
Finally, open secrets.upflow.io and add the following information to the Editor field to send the following details through. Then send us the link via a Support request at the top of this article:
client_id
client_secret
- Complete
issuer
URL Identity Provider
Email domain
SAML
OIDC is our recommended authentication protocol. If you do choose to proceed with SAML, the steps for this process are outlined below:
- Register a new app on your Identity Provider which will grant access to the Upflow application to read and verify the identity (email) of authenticating users.
You'll need the following Redirect URL:https://auth.upflow.io/__/auth/handler
-
Finally, open secrets.upflow.io and add the following information to the Editor field to send the following details through. Then send us the link via a Support request at the top of this article:
-
idpEntityId
-
ssoURL
-
rpEntityId
-
x509Certificates
- Email domain name which will be used to sign in (e.g. “example.com”)
-
FAQ
-
Does Upflow support Google SSO?
Yes, Upflow offers Google SSO support.
-
If I set up SSO on my Upflow sandbox account, do I have to do it again on my production account?
No, a single SSO configuration can be applied on both accounts. Submit a Support request at the top to ensure the configuration is ported over.
-
If SSO is enabled on my Upflow account, can some of our users still sign on with their email and Upflow password?
No. Once SSO is enabled on your Upflow account, the activation occurs at the domain level and all users MUST sign in via SSO. All other Upflow authentication methods are disabled.
-
Does Upflow support (SCIM) User Provisioning?
(SCIM) User Provisioning is not currently supported through Upflow.
-
Does Upflow support multi-factor authentication (MFA)?
MFA is not currently supported through Upflow.
-
Does Upflow support Just-In-Time (JIT) provisioning?
Just-In-Time (JIT) provisioning is not currently supported through Upflow.
-
Is Upflow able to support an SSO setup with 2 different domains?
Yes, please submit a Support request at the top to process this configuration.