Logging into Secureframe with an iDP (SAML/OIDC)

What is SSO?

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

True single sign-on allows the user to log in once and access multiple services without re-entering authentication factors.

Types of SSO

Secureframe supports two types: 

  • IdP-initiated SSO
  • SP-initiated SSO

IdP-initiated SSO

The Identity Provider (IdP) is a trusted, centralized system for managing and storing user credentials and other identifying information. With IdP-initiated SSO, the IdP provides authentication to a variety of dependent applications.

SP-initiated SSO

A Service Provider (SP) is the entity that provides the application or service to the end user. In this case that is Secureframe.  With SP-initiated SSO, Secureframe makes the request to an IdP to verify a user that has not already been identified.

Supported IdP vendors

We support all IdPs, including but not limited to what is listed below. You can also create a custom SAML or OIDC connection if your idP and desired protocol are not natively supported.

  • ADP OpenID Connect
  • AuthO
  • Azure AD SAML (For both accessing Secureframe and pulling user and security data)
  • CAS SAML
  • ClassLink
  • Cloudflare
  • CyberArk SAML
  • Duo
  • Google SAML (For both accessing Secureframe and pulling user and security data)
  • JumpCloud SAML
  • Keycloak
  • LastPass
  • Microsoft AD SF SAML
  • miniOrange
  • NetIQ
  • Okta SAML  (For both accessing Secureframe and pulling user and security data)
  • OneLogin SAML
  • Oracle SAML
  • PingFederate SAML
  • PingOne SAML
  • Rippling SAML
  • Salesforce
  • Shibboleth Generic SAML
  • Shibboleth Unsolicited SAML
  • SimpleSAMLphp
  • VMWare

Configuring SSO

To configure SSO within Secureframe:

  1. In the Secureframe app, navigate to the Company settings page by clicking the profile photo in the top right. Click Company settings.
  2. Click the Authentication Settings tab.
  3. Verify that your desired domain(s) are listed in the row “Step 1 Claim Domain”.
    • By claiming a domain, you have the ability to restrict access for your personnel. This is a company wide setting found on the Authentication page of Company Settings
    • In order to claim a domain, open a ticket with Secureframe support, provide the domain (www.yoursite.com) and one of our team will enable for you.
    • Once the domain appears, you can toggle login restrictions (see below screenshot) to control how users with claimed domain(s) sign into Secureframe.
  4. Scroll down to the row Configure OIDC or SAML connection. Click Configure. You will be redirected to WorkOS.
  5. If a connection already exists, you may reset it here. At the bottom of the page, click Reset Connection, then type the word “Reset” into the entry field. Then click Reset Connection.
  6. When no connection exists, WorkOS will prompt you to select your IdP. Choose one from the list and WorkOS will provide instructions to complete the configuration.
  7. When configuration steps have been completed you will receive confirmation by email.
 
 
claim.jpg

Controlling alternate sign-in methods

These switches can be found at the bottom of the Authentication Settings tab to create exceptions and control alternate sign-in methods:

  • Allow magic link for all domain users:Allows authentication links to be sent to users by email. These magic links allow users to log in directly by clicking on them.
  • Allow password for all domain users: Allows users with a matching email domain to continue using emails and passwords to log in to Secureframe. 
  • Allow social login for all domain users: Allows users to continue using social logins like Google and Outlook 365 to log in to Secureframe. 

Regardless of theses configurations, admins and super admins can always sign in via any methods in case your idP or social login providers have service interruptions.

Restricting SSO and alternate sign-in methods to specific roles

You can control which roles have the ability to set up SSO and control alternate sign-in methods:

  1. In the Secureframe app, navigate to Company Onboarding > Personnel Settings > Roles
  2. Enable Ability to configure SSO authentication and alternate sign-in methods for roles of your choosing. By default, this setting is only enabled for super admins.

FAQ

Does Secureframe support SCIM?

No, we do not currently support SCIM. 

 

How many connections can I have?

Secureframe supports one connection.

 

Can we have multiple domains?

Yes, a company can claim multiple domains.

 

How do I reset a connection? 

See step 4 in the procedure Configuring SSO, above.

Was this article helpful?

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.