Set up Single Sign-On (SSO)

overview this guide explains how to configure saml 2 0 single sign on (sso) for odin sso allows your users to authenticate through your organization’s identity provider (idp), improving security and simplifying login management 🔒 important your idp must be configured to sign saml assertions , and you will need to upload your idp’s x 509 certificate so we can validate them who can configure sso sso setup can be performed by users with one of the following roles admin – has full administrative access it admin – a special role created for it teams or consultants who need to configure sso but do not require full access about it admin purpose it admins are meant solely for sso configuration access they can only access the sso setup page within odin billing it admins do not count toward your organization’s seat count limitations it admins cannot access any other parts of the application view, create, or modify other user accounts use the product beyond sso configuration 💡 tip if your it department or a third party consultant is setting up sso, assign them the it admin role to avoid consuming paid seats prerequisites before starting, ensure you have an admin or it admin account in odin administrator access to your idp (e g , okta, azure ad, google workspace, ping, onelogin) one of the following idp metadata xml file (recommended) or, for manual entry sso url (single sign on url / login url) entity id / issuer x 509 signing certificate (required) your idp must provide one valid certificate this can be either included in the idp metadata xml (recommended), or uploaded separately in pem, crt, or cer if uploading separately, the file must include the standard pem headers and footers \ begin certificate \[certificate content] \ end certificate some idps (e g , keycloak, pingfederate) export certificates without these lines, in which case you’ll need to add them manually the certificate must match the one your idp uses to sign saml assertions if multiple signing certificates are available (for rollover), choose the one currently in use configure sso step 1 enable sso log in to odin as an admin or it admin navigate to account settings > organization settings toggle enable sso for all members (this will require all users except admins and it admins to sign in with sso) review the confirmation modal carefully password based login will be disabled for standard users admins and it admins will always be able to log in using both password and sso — you cannot lock yourself out make sure you have idp credentials and a test user account ready click enable sso to proceed to configuration ⚠️ trouble accessing this page? if you don’t have access or see an error enabling sso, contact support\@getfocus eu step 2 review “our config” you’ll now see the our config section of the sso configuration wizard this page shows the service provider (sp) information you can configure your idp using either of these approaches option 1 (recommended) use the sp metadata xml copy the xml provided and paste it into your idp’s saml configuration most idps can import this xml to automatically configure acs url, entity id, and nameid format option 2 manually copy each field sso url (acs url) – paste this into your idp’s assertion consumer service url field issuer (sp entity id) – paste this into your idp’s entity id or audience field 💡 tip keep this page open while setting up your idp so you can easily copy values once your idp is configured, click next to continue step 3 complete “your config” in the your config section, you’ll provide your idp details back to odin enter idp metadata or manual values option 1 (recommended) paste your idp metadata xml into the field option 2 enter your sso url and issuer manually upload signing certificate the system requires one valid x 509 certificate you can provide it in either of two ways if your idp metadata xml already includes the certificate, no additional upload is needed if uploading separately ( pem, crt, or cer), make sure the file includes the pem headers and footers \ begin certificate \[certificate content] \ end certificate without these wrappers, the upload will fail 🔒 important you must explicitly upload the certificate you want to trust, even if it is included in the metadata xml this ensures you intentionally select the correct signing key step 4 test and enable sso after you've filled in the details, you need to test the sso config before it can be enabled hit the test sso button at the bottom of the page, this will redirect you to your idp and initiate a mock sign in attempt if the sign in attempt succeeds you can enable sso by clicking the enable sso button in case of failure or abandonment of the test, the enable sso button remains disabled and you will need to refresh the " your config " page to test again ✅ reminder admins and it admins can always log in with either password or sso even after enforcement is turned on; this ensures you cannot accidentally lock yourself out step 5 certificate maintenance (recommended) only one signing certificate can be active at a time if your idp rotates keys, update the certificate in account settings > organization > change sso configuration page before the old one expires keep at least one admin or it admin credential with password login as a fallback in case of idp issues user provisioning and supported sso claims supported identity features odin does not support just in time (jit) provisioning or scim based user synchronization all users must be manually registered and invited through the web application before they can access the platform (see inviting team members to your organization docid\ xit7qbde3buxfp8boub0v and user sign up and account management docid\ ts2zbmw5mw32e1dfwawk4 ) if single sign on (sso) is enabled for your organization, invited users may use it to sign up and sign in , as long as the email address used for sso matches the one associated with their registered odin account sso assertions and claims odin does not process or rely on any additional claims or assertions beyond those required for authentication specifically the saml assertion urn\ oasis\ names\ tc\ saml 2 0\ assertion\ nameid must contain the user’s email address that email address must exactly match the email registered in odin no other saml attributes or oidc claims are consumed, although they are stored this ensures that user identity is verified solely based on existing account records in odin support if you need assistance email support\@getfocus eu live chat available in odin