Single Sign-On

Single sign-on (SSO) is a technology which combines several different application login screens into one

🚧

Requires an Enterprise Plan

Please reach out to your account manager or Support for assistance with setting this up.

We also recommend having a product owner of SSO from your team to bring to our Support/Sales calls.

What is Single Sign-On (SSO)?

  • With SSO, a user only has to enter their login credentials (username, password, etc.) one time on a single page to access all of their SaaS applications.
  • Whenever a user signs in to an SSO service, the service creates an authentication token that remembers that the user is verified. An authentication token is a piece of digital information stored either in the user's browser or within the SSO service's servers, like a temporary ID card issued to the user. Any app the user accesses will check with the SSO service. The SSO service passes the user's authentication token to the app and the user is allowed in. If, however, the user has not yet signed in, they will be prompted to do so through the SSO service.

Available SSO identity providers (IdP)

ADPDuoOneLogin
Auth0Google WorkspaceOracle
Azure ADJumpCloudPingFederate
CASKeyCloakPingOne
ClassLinkLastPassRippling
CloudFlareMicrosoft ADFSSalesforce
Custom OpenID ConnectminiOrangeShibboleth
Custom SAMLNetIQShibboleth Unsolicited
Cyber ArkOktaSimpleSAML php
VMWare

If you are using an IdP that isn't listed here, please reach out to Support to request it.


Setup

👍

If you have any questions during setup, feel free to reach out to Support to guide you through these steps.

Step 1. Obtain setup link

Support will provide the setup link and will guide you through the process.

Step 2. Identity Provider

Please let Support know what identity provider you are using.

Step 3. Follow IdP-specific guide

Each identity provider has a slightly different process. Use the table above to find a guide.

Step 4. Test your connection

Now you have connected your IdP, you’ll proceed to sign-on with your SSO IdP.

Step 5. Onboard Existing Users into OneSignal using SSO

If you are an existing user, you should now be able to click onto Continue with Single Sign-OnYou will additionally also be able to continue signing on with your username and password, until you want to enforce SSO logins across the organization.

We provide this a dual login function of SSO login and username and password whilst you are testing SSO, as it ensures message sending is not disrupted whilst onboarding with SSO.

Please provide Support the emails you want to test out SSO with so we can enable them for testing.

Image showing OneSignal sign on with input boxes

Image showing OneSignal sign on with input boxes

Step 6. Enforcing SSO

Once you are ready to move out of testing, or if you want to switch the to SSO immediately, contact us at Support to begin enforcing SSO on this organization.


Adding Users into SSO Org

Using our Org Admin Invite Flow

An Org Admin can invite users as specified in our guide for managing team members here

What Happens if you invite someone not within your SSO org domain?

The email domain has to be added under the SSO org, to invite a user into that org. An error occurs if a user invites someone who is not under that org.

Image showing how to invite an email to the app

Image showing how to invite an email to the app

Signing in with SSO

All new SSO users will be invited into the application from the team members page below. Click on the button Invite to Organization. You'll be able to set the role of the user as you invite them into the App, or Org.

Image showing Roles page to click button Invite to Organization

Image showing Team Members page to click button Invite to Organization

Image showing blank input box to add an email to invite as an admin within the app

Image showing blank input box to add an email to invite as an admin within the app

Your invited user will receive an email to accept the invitation.

Image showing invitation from OneSignal to join an app or an organization

Image showing invitation from OneSignal to join an app or an organization

Once they receive an invitation, they can log in by clicking "Accept invitation".

Image showing SSO signin page from being invited.

Image showing SSO signin page from being invited.


FAQ

Who Can Use SSO?

SSO is for enterprise customers only. Here is our pricing page for more details. Contact Support to get set up with SSO.

Is there any restriction to the number of seats an SSO I can have?

We will not be restricting the number of seats under an SSO org.

How can I test SSO for myself?

We’ll walk you through and help you get set up with SSO. You’ll be provided with a magic link, to enter your SSO credentials for your organization. Once set up, only your username will be assigned to login with SSO. You can then continue onboarding all of your org users into OneSignal using SSO. Once all of your users are using SSO, let us know at [email protected] and we’ll ensure SSO is enforced for all users going forward.

We allow you to onboard your users slowly, as needed, to ensure your messaging is not disrupted.

Why do we use domains? How many domains can an org have?

Website domains are also used for email addresses, aka. onesignal.com maps to [email protected] . This means as you set up an org for SSO you add website domains that represent those underlying emails.

An organization can have multiple domains as part of SSO login.

🚧

ANY domain added will open up all emails of that domain. Adding a @gmail.com email address will add ALL gmail emails.

How do I de-provision and provision users?

A user can be de-provisioned and provisioned from within the OneSignal dashboard. At this time we do not support de-provisioning and provisioning users from within the IdP.

I want to use SSO, but I don't know who is my Admin for my Organization. What do I do?

Please contact Support for us to provide you information to contact your admin with.

What email domains are used within my Organization for OneSignal?

Please get your Organizational Admin to contact Support for us to provide you with a list of email domains your organization uses.

What happens if my IdP goes down?

If the IdP goes down, OneSignal users will not be able to log in. However, if they have an existing session, they won't need to log in.

I want to use SSO but I don't have an IdP now.

Unfortunately, SSO is not a suitable solution for you if you do not have an IdP. It’s best to work within your internal team or with a consultancy to help you set this up.

Is a mixed mode (SSO and regular username/password login) supported simultaneously? Can users either log in via SSO or the local username/password?

We don’t have a mixed mode but it is something we can consider. Usually SSO is the primary login. One way to do a mixed mode is to separate your SSO apps into one org, then other non-SSO apps into another org. However, an org is used for billing purposes

Could we connect more than one IdP tenant to an organization?

You're allowed one IdP tenant per organization. Please reach out to Support for any further questions or feedback.