Single sign-on (SAML SSO)
Integrating Userflow with your identity provider (such as Okta or OneLogin) makes signing in simple and secure for your team.
Important: SAML SSO is only available in Userflow’s Enterprise plan ( see plans ).
Once SSO is enabled, Userflow’s sign-in form will automatically detect your domain, and let your users to sign in via your identity provider.
Step 1: Obtain your Customer ID from Userflow
Send an email to email@example.com with the following information:
- That you wish to enable SAML SSO for your Userflow team
- Your company name
- Domain(s) your users sign in with
We’ll get back to you (typically within 24 hours) with your Customer ID , which you need to complete the following steps.
Step 2: Configure your identity provider
For easy setup with Okta, see How to Configure SAML 2.0 for Userflow in Okta .
Generic SAML identity provider
Make sure to replace
CUSTOMER_ID with the value Userflow provided.
Single sign on URL / SAML ACS URL:
- Audience URI / SP Entity ID: userflow
- Name ID format: EmailAddress
- Application username: Email
- Signed Assertions: Yes
- Encryption : Preferred. Use AES256-CBC with this certificate
Single Logout URL:
- SP Issuer: userflow
- Signature Certificate: Use this certificate
firstName: User’s first name
lastName: User’s last name
Step 3: Send Identity Provider metadata XML file to Userflow
Download your identify provider’s Identity Provider metadata XML file and send it to firstname.lastname@example.org .
We’ll finish the setup for you, and let you know once SSO is enabled for your domain(s).
Working with SSO
Existing users with passwords
Users that were registered in Userflow before you enabled SSO, can sign in either via SSO or using their old password.
Adding members to your Userflow team
You can invite new members to your Userflow team under Settings -> Team. They’ll receive an invite link. The invite page automatically detects that SSO is available. Once they sign in via SSO, they’ll have access to your team.
You can also add team members outside of your Identity Provider organization. These users can create regular Userflow user accounts using password sign-in.
Just-in-time (JIT) user provisioning
When a new user, which Userflow hasn’t seen before, signs in via SSO, Userflow automatically creates an account for them.
The new user will NOT get access to your Userflow team though. They still need an explicit invite.
When users are deactivated/removed in your Identity Provider, they are not automatically removed from your Userflow team.
However, since users not using password must sign in via SSO, once you remove their authorization in your Identity Provider they will no longer be able to access your Userflow team (once their current session, if any, expires).
To be sure, you can always remove team members in Userflow under Settings -> Team.
Userflow’s SAML certificate
If you configure your Identity Provider manually, you’ll need this certificate to enable encryption and Single Logout.
You can either download the certificate or copy it from here:
-----BEGIN CERTIFICATE----- MIIDXTCCAkWgAwIBAgIIJbK0e8rHV2MwDQYJKoZIhvcNAQELBQAwNDEaMBgGA1UE CgwRUGhvZW5peCBGcmFtZXdvcmsxFjAUBgNVBAMMDVVzZXJmbG93IFNBTUwwHhcN MjAwNzIyMDAwMDAwWhcNMjEwNzIyMDAwMDAwWjA0MRowGAYDVQQKDBFQaG9lbml4 IEZyYW1ld29yazEWMBQGA1UEAwwNVXNlcmZsb3cgU0FNTDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAN/jWPHERMRIkUXfmexMTVIOniTPxBnQzwmOIFDN z7115jynGoAFOMEAet4hUuKrcJ0dzjXXGA7qitlMu9kVqWShWTAVLiN9ATmRTmbv 65w6rrarcQ2/gIkplo389PCdUTDyZOw9Vv2zWfMjD48EAEmclc1NU8649E1PKK3N TCP7xjQKpgr5wTzGNP4SjQO2gHMuZZTmeSrKvX8xBSIbO8OvJsl8PZdCpF7yZuoL 4lN9Hjxvfu9Mg6MiuPFg9tZFTlyMCJLQSDIYcr1JTOO4Vc4o98+JzxWFKEGuaYK/ UWpHQj5sR1/XFIsMxuyTLAbk9+ct6NbKMxjuFw2QKsQYt88CAwEAAaNzMHEwDAYD VR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG CCsGAQUFBwMCMB0GA1UdDgQWBBR7spJceWpV+ONY9ZkBcczRuXt2aTATBgNVHREE DDAKggh1c2VyZmxvdzANBgkqhkiG9w0BAQsFAAOCAQEAEQ9qy/wHXV+vC3+Gi1Ha FIvujyPEmVKfXjM+djIaLYC0mP5+ZKWUtVxNyHtY1p2WkDmGEnckG97qTSzj3PGz 4kqr5uK9vCI+X7xDvN/Z9oi559nsqfzbbNKcxw7LkdLV92EhNwuaKARgpWokQF0p s+eUFt8Qr+rU0pHPTcgANEhELbgd3mG2Irp+m8MriZIQhfjeks6Y+NsSkHbdNjyY dJo+z4oUXkH0maPnqsk9W5bByvYcgtERDSMUCEjX/BbmIOvx9yx22m5EAS1uknVt 0LVnbwnPOing7uj566z2FnXv5Pn1shkXQKNuay1yvoTO4Wgll/D7Ro0Ax9D1U5YL hw== -----END CERTIFICATE-----