​

What is Single Sign-On (SSO)?

• With SSO, a user only has to enter their login credentials (username, password, etc.) one time on a single page to access all of their SaaS applications.
• Whenever a user signs in to an SSO service, the service creates an authentication token that remembers that the user is verified. An authentication token is a piece of digital information stored either in the user’s browser or within the SSO service’s servers, like a temporary ID card issued to the user. Any app the user accesses will check with the SSO service. The SSO service passes the user’s authentication token to the app and the user is allowed in. If, however, the user has not yet signed in, they will be prompted to do so through the SSO service.

​

Available SSO identity providers (IdP)

ADP	Duo	OneLogin
Auth0	Google Workspace	Oracle
Azure AD	JumpCloud	PingFederate
CAS	KeyCloak	PingOne
ClassLink	LastPass	Rippling
CloudFlare	Microsoft ADFS	Salesforce
Custom OpenID Connect	miniOrange	Shibboleth
Custom SAML	NetIQ	Shibboleth Unsolicited
Cyber Ark	Okta	SimpleSAML php
		VMWare

If you are using an IdP that isn’t listed here, please reach out to support@onesignal.com to request it.

---

​

Setup

​

Step 1. Obtain setup link

support@onesignal.com will provide the setup link and will guide you through the process.

​

Step 2. Identity Provider

Please let support@onesignal.com know what identity provider you are using.

​

Step 3. Follow IdP-specific guide

Each identity provider has a slightly different process. Use the table above to find a guide.

​

Step 4. Test your connection

Now you have connected your IdP, you’ll proceed to sign-on with your SSO IdP.

​

Step 5. Onboard Existing Users into OneSignal using SSO

If you are an existing user, you should now be able to click onto Continue with Single Sign-OnYou will additionally also be able to continue signing on with your username and password, until you want to enforce SSO logins across the organization.

We provide this a dual login function of SSO login and username and password whilst you are testing SSO, as it ensures message sending is not disrupted whilst onboarding with SSO.

Please provide support@onesignal.com the emails you want to test out SSO with so we can enable them for testing.

​

Step 6. Enforcing SSO

Once you are ready to move out of testing, or if you want to switch the to SSO immediately, contact us at support@onesignal.com to begin enforcing SSO on this organization.

---

​

Adding Users into SSO Org

​

Using our Org Admin Invite Flow

An Org Admin can invite users as specified in our guide for managing team members here

​

What Happens if you invite someone not within your SSO org domain?

The email domain has to be added under the SSO org, to invite a user into that org. An error occurs if a user invites someone who is not under that org.

​

Signing in with SSO

All new SSO users will be invited into the application from the team members page below. Click on the button Invite to Organization. You’ll be able to set the role of the user as you invite them into the App, or Org.

Your invited user will receive an email to accept the invitation.

Once they receive an invitation, they can log in by clicking “Accept invitation”.

---

​

FAQ

​

Who Can Use SSO?

SSO is for enterprise customers only. Here is our pricing page for more details. Contact support@onesignal.com to get set up with SSO.

​

Is there any restriction to the number of seats an SSO I can have?

We will not be restricting the number of seats under an SSO org.

​

How can I test SSO for myself?

We’ll walk you through and help you get set up with SSO. You’ll be provided with a magic link, to enter your SSO credentials for your organization. Once set up, only your username will be assigned to login with SSO. You can then continue onboarding all of your org users into OneSignal using SSO. Once all of your users are using SSO, let us know at support@onesignal.com and we’ll ensure SSO is enforced for all users going forward.

We allow you to onboard your users slowly, as needed, to ensure your messaging is not disrupted.

​

Why do we use domains? How many domains can an org have?

Website domains are also used for email addresses, aka. onesignal.com maps to x@onesignal.com . This means as you set up an org for SSO you add website domains that represent those underlying emails.

​

How do I de-provision and provision users?

A user can be de-provisioned and provisioned from within the OneSignal dashboard. At this time we do not support de-provisioning and provisioning users from within the IdP.

​

I want to use SSO, but I don’t know who is my Admin for my Organization. What do I do?

Please contact support@onesignal.com for us to provide you information to contact your admin with.

​

What email domains are used within my Organization for OneSignal?

Please get your Organizational Admin to contact support@onesignal.com for us to provide you with a list of email domains your organization uses.

​

What happens if my IdP goes down?

If the IdP goes down, OneSignal users will not be able to log in. However, if they have an existing session, they won’t need to log in.

​

I want to use SSO but I don’t have an IdP now.

Unfortunately, SSO is not a suitable solution for you if you do not have an IdP. It’s best to work within your internal team or with a consultancy to help you set this up.

​

Is a mixed mode (SSO and regular username/password login) supported simultaneously? Can users either log in via SSO or the local username/password?

We don’t have a mixed mode but it is something we can consider. Usually SSO is the primary login. One way to do a mixed mode is to separate your SSO apps into one org, then other non-SSO apps into another org. However, an org is used for billing purposes

​

Could we connect more than one IdP tenant to an organization?

You’re allowed one IdP tenant per organization. Please reach out to support@onesignal.com for any further questions or feedback.

---