Configure SSO authentication for your OneSignal dashboard and team.
Please reach out to your account manager or support@onesignal.com
for assistance with setting this up.
We also recommend having a product owner of SSO from your team to bring to our Support/Sales calls.
ADP | Duo | OneLogin |
Auth0 | Google Workspace | Oracle |
Azure AD | JumpCloud | PingFederate |
CAS | KeyCloak | PingOne |
ClassLink | LastPass | Rippling |
CloudFlare | Microsoft ADFS | Salesforce |
Custom OpenID Connect | miniOrange | Shibboleth |
Custom SAML | NetIQ | Shibboleth Unsolicited |
Cyber Ark | Okta | SimpleSAML php |
VMWare |
If you are using an IdP that isn’t listed here, please reach out to support@onesignal.com
to request it.
support@onesignal.com
will provide the setup link and will guide you through the process.
Please let support@onesignal.com
know what identity provider you are using.
Each identity provider has a slightly different process. Use the table above to find a guide.
Now you have connected your IdP, you’ll proceed to sign-on with your SSO IdP.
If you are an existing user, you should now be able to click onto Continue with Single Sign-On
You will additionally also be able to continue signing on with your username and password, until you want to enforce SSO logins across the organization.
We provide this a dual login function of SSO login and username and password whilst you are testing SSO, as it ensures message sending is not disrupted whilst onboarding with SSO.
Please provide support@onesignal.com
the emails you want to test out SSO with so we can enable them for testing.
OneSignal sign-in interface with SSO option
Once you are ready to move out of testing, or if you want to switch the to SSO immediately, contact us at support@onesignal.com
to begin enforcing SSO on this organization.
An Org Admin can invite users as specified in our guide for managing team members here
The email domain has to be added under the SSO org, to invite a user into that org. An error occurs if a user invites someone who is not under that org.
Email invitation interface for adding users
All new SSO users will be invited into the application from the team members page below. Click on the button Invite to Organization
. You’ll be able to set the role of the user as you invite them into the App, or Org.
Team Members page with Invite to Organization button
Email input form for adding team members
Your invited user will receive an email to accept the invitation.
OneSignal invitation email example
Once they receive an invitation, they can log in by clicking “Accept invitation”.
SSO login page after invitation acceptance
SSO is for enterprise customers only. Here is our pricing page for more details. Contact support@onesignal.com
to get set up with SSO.
We will not be restricting the number of seats under an SSO org.
We’ll walk you through and help you get set up with SSO. You’ll be provided with a magic link, to enter your SSO credentials for your organization. Once set up, only your username will be assigned to login with SSO. You can then continue onboarding all of your org users into OneSignal using SSO. Once all of your users are using SSO, let us know at support@onesignal.com
and we’ll ensure SSO is enforced for all users going forward.
We allow you to onboard your users slowly, as needed, to ensure your messaging is not disrupted.
Website domains are also used for email addresses, aka. onesignal.com maps to x@onesignal.com
. This means as you set up an org for SSO you add website domains that represent those underlying emails.
A user can be de-provisioned and provisioned from within the OneSignal dashboard. At this time we do not support de-provisioning and provisioning users from within the IdP.
Please contact support@onesignal.com
for us to provide you information to contact your admin with.
Please get your Organizational Admin to contact support@onesignal.com
for us to provide you with a list of email domains your organization uses.
If the IdP goes down, OneSignal users will not be able to log in. However, if they have an existing session, they won’t need to log in.
Unfortunately, SSO is not a suitable solution for you if you do not have an IdP. It’s best to work within your internal team or with a consultancy to help you set this up.
We don’t have a mixed mode but it is something we can consider. Usually SSO is the primary login. One way to do a mixed mode is to separate your SSO apps into one org, then other non-SSO apps into another org. However, an org is used for billing purposes
You’re allowed one IdP tenant per organization. Please reach out to support@onesignal.com
for any further questions or feedback.