Set up Single Sign-On (SSO)

overview this guide explains how to configure saml 2 0 single sign on (sso) for odin sso allows your users to authenticate through your organization’s identity provider (idp), improving security and simplifying login management 🔒 important your idp must be configured to sign saml assertions , and you will need to upload your idp’s x 509 certificate so we can validate them who can configure sso sso setup can be performed by users with one of the following roles admin – has full administrative access it admin – a special role created for it teams or consultants who need to configure sso but do not require full access about it admin purpose it admins are meant solely for sso configuration access they can only access the sso setup page within odin billing it admins do not count toward your organization’s seat count limitations it admins cannot access any other parts of the application view, create, or modify other user accounts use the product beyond sso configuration 💡 tip if your it department or a third party consultant is setting up sso, assign them the it admin role to avoid consuming paid seats prerequisites before starting, ensure you have an admin or it admin account in odin administrator access to your idp (e g , okta, azure ad, google workspace, ping, onelogin) one of the following idp metadata xml file (recommended) or, for manual entry sso url (single sign on url / login url) entity id / issuer x 509 signing certificate (required) must be explicitly uploaded supported formats pem, crt, or base64 encoded x 509 must match the certificate your idp uses to sign saml assertions if multiple signing certificates are available (for rollover), choose the one currently in use 🔒 important even if your metadata xml contains a certificate, you must explicitly upload the certificate you want odin to trust this ensures that you intentionally select the correct key for signature validation configure sso step 1 enable sso log in to odin as an admin or it admin navigate to account settings > organization settings toggle enable sso for all members (this will require all users except admins and it admins to sign in with sso) review the confirmation modal carefully password based login will be disabled for standard users admins and it admins will always be able to log in using both password and sso — you cannot lock yourself out make sure you have idp credentials and a test user account ready click enable sso to proceed to configuration ⚠️ trouble accessing this page? if you don’t have access or see an error enabling sso, contact support\@getfocus eu step 2 review “our config” you’ll now see the our config section of the sso configuration wizard this page shows the service provider (sp) information you can configure your idp using either of these approaches option 1 (recommended) use the sp metadata xml copy the xml provided and paste it into your idp’s saml configuration most idps can import this xml to automatically configure acs url, entity id, and nameid format option 2 manually copy each field sso url (acs url) – paste this into your idp’s assertion consumer service url field issuer (sp entity id) – paste this into your idp’s entity id or audience field 💡 tip keep this page open while setting up your idp so you can easily copy values once your idp is configured, click next to continue step 3 complete “your config” in the your config section, you’ll provide your idp details back to odin enter idp metadata or manual values option 1 (recommended) paste your idp metadata xml into the field option 2 enter your sso url and issuer manually upload signing certificate (required) drag & drop your pem , crt or cer file into the certificate area, or click browse files wait until you see the green checkmark confirming the upload enable sso after a successful test, click enable sso to activate sso for your organization 🔒 important you must explicitly upload the certificate you want to trust, even if it is included in the metadata xml this ensures you intentionally select the correct signing key step 4 verify and roll out log out and log back in using sso to ensure the flow works end to end notify your team of the new login process ✅ reminder admins and it admins can always log in with either password or sso even after enforcement is turned on; this ensures you cannot accidentally lock yourself out step 5 certificate maintenance (recommended) only one signing certificate can be active at a time if your idp rotates keys, update the certificate in account settings > organization > change sso configuration page before the old one expires keep at least one admin or it admin credential with password login as a fallback in case of idp issues support if you need assistance email support\@getfocus eu live chat available in odin