Single Sign-On
Single sign-on (SSO) is a technology which combines several different application login screens into one
Requires an Enterprise Plan
Please reach out to your account manager or Support for assistance with setting this up.
We also recommend having a product owner of SSO from your team to bring to our Support/Sales calls.
What is Single Sign-On (SSO)?
- With SSO, a user only has to enter their login credentials (username, password, etc.) one time on a single page to access all of their SaaS applications.
- Whenever a user signs in to an SSO service, the service creates an authentication token that remembers that the user is verified. An authentication token is a piece of digital information stored either in the user's browser or within the SSO service's servers, like a temporary ID card issued to the user. Any app the user accesses will check with the SSO service. The SSO service passes the user's authentication token to the app and the user is allowed in. If, however, the user has not yet signed in, they will be prompted to do so through the SSO service.
Available SSO identity providers (IdP)
ADP | Duo | OneLogin |
Auth0 | Google Workspace | Oracle |
Azure AD | JumpCloud | PingFederate |
CAS | KeyCloak | PingOne |
ClassLink | LastPass | Rippling |
CloudFlare | Microsoft ADFS | Salesforce |
Custom OpenID Connect | miniOrange | Shibboleth |
Custom SAML | NetIQ | Shibboleth Unsolicited |
Cyber Ark | Okta | SimpleSAML php |
VMWare |
If you are using an IdP that isn't listed here, please reach out to Support to request it.
Setup
If you have any questions during setup, feel free to reach out to Support to guide you through these steps.
Step 1. Obtain setup link
Support will provide the setup link and will guide you through the process.
Step 2. Identity Provider
Please let Support know what identity provider you are using.
Step 3. Follow IdP-specific guide
Each identity provider has a slightly different process. Use the table above to find a guide.
Step 4. Test your connection
Now you have connected your IdP, you’ll proceed to sign-on with your SSO IdP.
Step 5. Onboard Existing Users into OneSignal using SSO
If you are an existing user, you should now be able to click onto Continue with Single Sign-On
You will additionally also be able to continue signing on with your username and password, until you want to enforce SSO logins across the organization.
We provide this a dual login function of SSO login and username and password whilst you are testing SSO, as it ensures message sending is not disrupted whilst onboarding with SSO.
Please provide Support the emails you want to test out SSO with so we can enable them for testing.
Step 6. Enforcing SSO
Once you are ready to move out of testing, or if you want to switch the to SSO immediately, contact us at Support to begin enforcing SSO on this organization.
Adding Users into SSO Org
Using our Org Admin Invite Flow
An Org Admin can invite users as specified in our guide for managing team members here
What Happens if you invite someone not within your SSO org domain?
The email domain has to be added under the SSO org, to invite a user into that org. An error occurs if a user invites someone who is not under that org.
Signing in with SSO
All new SSO users will be invited into the application from the team members page below. Click on the button Invite to Organization
. You'll be able to set the role of the user as you invite them into the App, or Org.
Your invited user will receive an email to accept the invitation.
Once they receive an invitation, they can log in by clicking "Accept invitation".
FAQ
Who Can Use SSO?
SSO is for enterprise customers only. Here is our pricing page for more details. Contact Support to get set up with SSO.
Is there any restriction to the number of seats an SSO I can have?
We will not be restricting the number of seats under an SSO org.
How can I test SSO for myself?
We’ll walk you through and help you get set up with SSO. You’ll be provided with a magic link, to enter your SSO credentials for your organization. Once set up, only your username will be assigned to login with SSO. You can then continue onboarding all of your org users into OneSignal using SSO. Once all of your users are using SSO, let us know at [email protected] and we’ll ensure SSO is enforced for all users going forward.
We allow you to onboard your users slowly, as needed, to ensure your messaging is not disrupted.
Why do we use domains? How many domains can an org have?
Website domains are also used for email addresses, aka. onesignal.com maps to [email protected] . This means as you set up an org for SSO you add website domains that represent those underlying emails.
An organization can have multiple domains as part of SSO login.
ANY domain added will open up all emails of that domain. Adding a @gmail.com email address will add ALL gmail emails.
How do I de-provision and provision users?
A user can be de-provisioned and provisioned from within the OneSignal dashboard. At this time we do not support de-provisioning and provisioning users from within the IdP.
I want to use SSO, but I don't know who is my Admin for my Organization. What do I do?
Please contact Support for us to provide you information to contact your admin with.
What email domains are used within my Organization for OneSignal?
Please get your Organizational Admin to contact Support for us to provide you with a list of email domains your organization uses.
What happens if my IdP goes down?
If the IdP goes down, OneSignal users will not be able to log in. However, if they have an existing session, they won't need to log in.
I want to use SSO but I don't have an IdP now.
Unfortunately, SSO is not a suitable solution for you if you do not have an IdP. It’s best to work within your internal team or with a consultancy to help you set this up.
Is a mixed mode (SSO and regular username/password login) supported simultaneously? Can users either log in via SSO or the local username/password?
We don’t have a mixed mode but it is something we can consider. Usually SSO is the primary login. One way to do a mixed mode is to separate your SSO apps into one org, then other non-SSO apps into another org. However, an org is used for billing purposes
Could we connect more than one IdP tenant to an organization?
You're allowed one IdP tenant per organization. Please reach out to Support for any further questions or feedback.
Updated 18 days ago