Skip to main content
Feedback

Single sign-on with Flow

This topic covers signing in to as the service provider, as well as user restrictions and example scenarios.

Signing in to as the service provider

Service provider-initiated sign in for single sign-on provides seamless access to Flow .

You may be signed in to the application you use the most: the identity provider. To sign in to the service provider (), click a link in the identity provider's application to access the service provider.

If you are not signed in to the identity provider but click a link (for example a bookmarked URL or a URL received in an email) that is supposed to take you to the service provider's sign in page, single sign-on redirects you to the identity provider's sign in page. After you sign in, you are redirected to the target of the service provider's link and gain access to it without having to sign in a second time.

If your user account also has access to tenants that do not use single sign-on, you have to sign in to those tenants normally using Flow.

If you used to sign in to normally but now wish to sign in to a tenant that uses single sign-on, you have to sign in using the relevant tenant URL.

Restrictions for single sign-on users

The following restrictions apply to users signed in to a SAML SSO enabled tenant:

  • The user account is locked into the SAML SSO enabled tenant.

  • Tenant information cannot be viewed (for example, viewing tenant members or subtenants that belong to the tenant).

  • Tenant information cannot be modified (for example, adding additional users or creating new subtenants).

  • Other tenants/subtenants that the user is a member of also cannot be accessed or viewed.

  • The SAML SSO enabled tenant can only be accessed using SAML SSO authentication for the user account.

  • The Sign Out button is not displayed/enabled for a single sign-on user.

If a user who has been automatically provisioned using SAML SSO login needs access to another tenant, the user can be added to another tenant by the tenant administrator as normal. To access the tenant the user must initiate a password reset. Once the user password has been reset, they can authenticate with as normal and gain access to the tenant. However, note that the user will still only be able to gain access to the SAML SSO enabled tenant using SSO authentication.

The single sign-on process

This is the process (assuming the user is not already signed in to and does not have a valid session):

  1. The user is redirected to the IdP login screen, allowing them to enter their credentials.

  2. Once the user has been successfully authenticated by the IdP, the user is redirected back to .

  3. The SAML assertion from the IdP is validated against the certificate set up during the tenant SAML SSO configuration. See Enabling SAML single sign-on for a tenant.

  4. The user group permissions are validated as per the tenant SAML SSO configuration.

  5. The user email address is extracted from the SAML assertion.

    • If an existing user account is found with the email address provided in the SAML assertion, the user is granted access to the tenant.

    • If no existing user account is found with the email address provided in the SAML assertion, a new user account is provisioned. Once the user has completed their provisioning, they are granted access to the tenant.

  6. The browser redirects the user to , where they are given immediate access to the tenant.

    • 'SSO' is displayed on the Account menu to indicate that the user is signed in with an SSO account.

    • The Account menu Change Tenant option is removed so that the user cannot change tenants; they can only access the tenant that they signed into as an SSO user.

    • The Sign Out button is not displayed/enabled for the single sign-on user.

On this Page