Single-sign on (SSO) allows users to log in to multiple services via one single set of login credentials.
When you use lots of different applications like Flourish, it can be difficult to have to remember unique usernames and passwords for each of them. As well as solving this issue, there are other added benefits of SSO.
NOTE: Single-sign on (SSO) is only available as a bolt-on to our Enterprise plans. Get in touch with our Sales team for more information.
Click on the questions below to find out more!
Single-sign on (SSO) allows users to log in to multiple services via one single set of login credentials.
This means your users will be able to login via your identity provider and be logged into Flourish with just one click, without having to remember a separate username and password.
There are also added security benefits and administrative benefits of using SSO (see the question below on "why should I use SSO?")
There are a few different reasons why you might want to use SSO, generally related to administrative efficiency and added security:
-
Easy management of users
- Maintain who has access to Flourish more easily and efficiently within your own system where you manage other services
- Provide and revoke access centrally when employees join and leave your company
-
Fewer logins for your users
- With SSO, your users only need to remember one set of login credentials to access various services you use, including Flourish, avoiding issues with forgetting and resetting passwords frequently
-
Be in control of your own security
- Authentication happens with your identity provider, so if you have extra security requirements beyond what Flourish provides (e.g. your own MFA or support for Yubikeys) you can ensure your users meet these requirements in order to access Flourish as well
- There are options to include extra security provisions in your Flourish SSO setup, such as restricting user logins from certain IP addresses or only when connecting via your VPN
Flourish can provide SAML SSO, a widely-supported protocol.
We support both IdP-initiated login and SP-initiated login. This means that your users can be logged into Flourish from your identity provider or via a Log in with SSO button, from where they will be directed from Flourish back to your provider.
There are some configuration options that we can use to customise your SSO, including allowing users to also be able to login via a normal Flourish username and password and restricting logins to certain IP addresses or only when connected via your company VPN.
To set up SSO for your company, we need to know a bit about how your identify provider (IdP) is set up.
Typically, we will request a specific file from you that will let us understand how we need to configure SSO for your company, our engineering team will get this set up and then we will supply you with details of our SSO configuration.
As an admin of your company, you will then be able to invite new users to your company, and once they've accepted their invitation, you can add their SAML federation IDs on the My company page.
Your users will now be able to log in to Flourish via SSO!
There are several options for managing users' access to Flourish via SSO.
Manually
Company admins can manually set the SAML Federation ID on the Flourish company page for each user authorised to log in using their identity provider's NameID. To remove a user's access, simply clear the associated SAML Federation ID.
JIT provisioning ("Just In Time")
With this option enabled in Flourish, users authenticated by your identity provider will automatically gain access to Flourish if they don't already have an account. This creates a seamless login experience for your team. You can manage user access directly within your identity provider's software, allowing you to restrict access for specific users or suspend access entirely (for example, if you're nearing seat limits).
SCIM provisioning
SCIM provisioning allows flexible user management directly through your identity provider's software. It allows you to view a complete list of users, remove access for specific users, and update their email addresses and display names. Similar to JIT provisioning, SCIM grants immediate Flourish access based on the settings within your identity provider.
We recommend disabling email/password login to Flourish after successful SSO implementation, to get the full security advantages of SSO. Contact our support team to make this change.