Single Sign-On (SSO) support

Mike Salyga
Mike Salyga
  • Updated

Ziflow supports Secure Assertion Markup Language (SAML) 2.0 to enable Single Sign-On (SSO), allowing users to authenticate using your organization’s existing identity provider (IdP) such as Azure AD or Okta.

 

Available on: Enterprise

You must be an administrator to configure SSO.

Overview

When SSO is enabled for your Ziflow account, all users must authenticate through your configured IdP. There is no option to selectively disable SSO for certain users or external collaborators.

  • External clients must have credentials in your IdP or be managed via separate “Satellite accounts.”
  • Enabling SSO disables password logins inside Ziflow; users will not have or need separate Ziflow passwords.
  • Users accessing Ziflow via the default login page will be redirected to your organization’s SSO login page automatically.

Configure SSO in Ziflow

  1. Log into Ziflow as an administrator. Select your user avatar and choose Settings > Security > Single Sign-On.

    SSO-open.png

    Ziflow supports multiple SSO methods, allowing users to log in with their organization's authentication system.

  2. Choose your SSO type.
    SAML 2.0: Integrate with standard IdPs such as Okta, Azure AD, G Suite, OneLogin.
    Custom Social Connection: Configure SSO via custom OAuth2/OpenID providers.

  3. Enter your configuration information:

    Sign in URL URL Ziflow redirects to for authentication with your identity provider (IdP).
    X509 Signing Certificate Public key certificate from your IdP (in PEM or CER format) used to validate SAML responses.
    Sign out URL URL where users are redirected after logging out.
    Binding protocol Supported HTTP binding (usually HTTP-Redirect or HTTP-POST). Must match IdP settings.
    Email mapping

    The attribute name for the user’s email in your IdP. Default uses claim URI for the emailaddress attribute. You can specify a custom domain mapping option to provide your own attribute mapping.).
    Enable/disable Toggle SSO authentication on or off for the entire Ziflow account (all users affected).
  4. Once you've entered your IdP details, Ziflow provides the following:

    Callback URL Also known as ACS (Assertion Consumer Service) URL. This is where your IdP sends the SAML response.
    Settings Audience (Entity ID), if your IdP requires this for certificate generation.
    Backdoor SSO URL A special login URL that bypasses SSO, usable only by administrators if SSO becomes unavailable or misconfigured. Use carefully and restrict access.

When you enable  SSO, users accessing Ziflow via the default login page will be redirected to your organization’s SSO login. Logging in through your account's ZIflow sub-domain/domain is recommended.

An SSO login button appears on the login screen for all users when you enable SSO.

SSO button on Ziflow login page

Important notes and limitations

  • SSO is enforced for all users: There is no mixed-mode login. Enabling SSO applies to every user on the account, including satellite accounts and guests.
  • Satellite accounts: These are workarounds for users without IdP credentials, but come with security and administrative overhead. Use with caution.
  • The userName attribute must be an email address. If authentication issues arise, try alternative attribute names like user-name or user_name.
  • Changing subdomains: If switching from a sandbox to a production subdomain, contact Ziflow support to avoid disruptions in SSO or API access.
  • If you require an entity ID attribute to generate an SSO certificate, copy the ID at the end of your Callback (ACS) URL.

 

Test your SSO setup

After configuration:

  1. Navigate to your Ziflow login URL.
  2. Enter your email address.
  3. If SSO is configured correctly, you will be redirected to your IdP login page.
    After successful authentication, you will be logged into Ziflow automatically.

Set up SSO with popular identity providers (IdPs)

  1. SSO configuration for Okta

  2. SSO configuration for Azure

  3. SSO configuration for G-Suite

  4. SSO configuration for OneLogin

  5. SSO with Custom Social Connection

Set up Single Sign-On (SSO) for G Suite

Summary: Here’s a step-by-step guide on configuring SSO for your Ziflow account by creating a SAML app in Google Suite. It’s a convenient option if you use G Suite and haven’t implemented SSO yet.

With this method, you can configure basic SSO authentication without using a third-party service.

Configuring Google

  1. Sign in to https://admin.google.com/ with your G Suite account (please note that you need to be an administrator in your Google account).

  2. In the menu, select Apps Web and Mobile apps - Add app - Add custom SAML app.

    Set up Single Sign-On (SSO) for G Suite in Ziflow

  3. Enter the app name and upload the app avatar.

    Set up Single Sign-On (SSO) for G Suite in Ziflow

     

  4. Copy the SSO URL and download a certificate.

  5. Open Ziflow SSO settings (.ziflow.io/#/settings/sso" target="_blank" class="intercom-content-link"https://.ziflow.io/#/settings/sso) and copy two values:
    - Callback URL
    - Entity ID

    2021-07-08_09h56_39

  6. Enter values copied from Ziflow into your SSO G Suite configuration.

    SSO configuration details in Ziflow

  7. Add the following attribute mapping:

    Set up Single Sign-On (SSO) for G Suite in Ziflow

  8. Turn on the Ziflow SSO service and add needed users/groups to the Ziflow SSO app:

    Set up Single Sign-On (SSO) for G Suite in Ziflow

Configure Ziflow

  1. Open Ziflow SSO configuration (.ziflow.io/#/settings/sso" target="_blank" class="intercom-content-link"https://.ziflow.io/#/settings/sso).

  2. Enter copied SSO URL from Google (paragraph nr 4) into Sign In URL and SignOut URL fields:

    Authenticating with SSO in to Ziflow

  3. Upload the downloaded certificate and turn on SSO:

    Uploading SSO certificate in Ziflow

     

At this point, both Google and Ziflow are configured, and users who are added on both sides should be able to authenticate with their corporate credentials. You can test this by going to https://.ziflow.io/#/login and entering your email address. If SSO is configured correctly, you'll be redirected to the SSO login page, and after authenticating, you should be logged in to Ziflow:

sso

 

Set up Single Sign-On (SSO) for OneLogin

Summary: Here’s a step-by-step guide on configuring SSO for your Ziflow account by creating a SAML Connector app in OneLogin.

  1. Add SAML Custom Connector from the Applications tab.

    Set up Single Sign-On (SSO) for OneLogin in Ziflow

  2. To generate the Callback URL on the Ziflow side, you may need to enter any website address e.g. https://www.google.com/ into the Sign-in URL & Sign-Out URL fields (these fields will be updated with correct data later on).

    Sign in and out URL in Ziflow SSO configurationCopy Ziflow Callback URL to: ACS (Consumer) URL, ACS (Consumer) URL Validator & Login URL.
    Authenticating with OneLogin SSO in Ziflow

  3. Copy the audience from the Ziflow Settings in the configuration for SSO; only copy the value “urn:auth0….” into the “Audience (EntityID)” field on OneLogin.

  4. Change SAML initiator to Service Provider.

  5. Set up the "email" parameter and ensure to flag Include in the SAML assertion checkbox. Next, set the "email" parameter to the Email value.

  6. Navigate to the Users tab in One Login. Set up a User on OneLogin (default values are okay). Please note that the email must match the user on Ziflow logging in. Apply to the application you just set up.

  7. Copy SAML 2.0 endpoint URL and download PEM x509 certificate (from view details).

  8. Fill in the copied OneLogin URL to the Ziflow Sign-in URL and Sign-Out URL also upload the downloaded certificate from the last step, and turn on SSO.

  9. Try signing into Ziflow. Email configured on the OneLogin side should be recognized by Ziflow, and the application should ask for OneLogin credentials.

 

SSO with custom Social Connection

Select Custom Social Connection type from the SSO field since the default value is set to SAML 2.0. Once this is done, you can start setting up the connection itself:

Ziflow SSO with custom Social Connection

  1. Client ID - enter the client's ID to allow Ziflow to establish a secure connection.

  2. Secret ID - enter a copied secret ID from your client's configuration.

  3. Authorization URL - URL that starts the authorization process and asks the user for a username/password.

  4. Token URL - URL that allows Ziflow to get the token for the user using the response we receive from the user authorizing.

  5. Fetch user profile script - script that requests user information (email, first name, last name, and local userId). Here's a standard script:
    ATTRIBUTE userName must be an email, if it doesn't work, please try user-name or user_name

    //Start script 
    function(accessToken, ctx, cb) {
      //make GET REST call to get user information request.get({
        url: 'https://ziflow.auth0.com/userinfo', 
            headers: {
           'Accept': 'application/json', 
            authorization: 'Bearer ' + accessToken 

    //Using accessToken granted from /token endpoint
     }
     }, function(err, resp, body) {
        var profile = {}; 

       //If there's an error we leave the script 
         if (err) return cb(err);
         if (resp.statusCode !== 200) return cb(new Error(resp)); 

    //Convert the response into JSON for easy parsing
         var abResponse = JSON.parse(body); 

    //Convert your profile into these fields, important all fields are filled 
        var profile = {
        user_id: abResponse.id,
        username: abResponse.username,
        given_name: abResponse.forename,
        family_name: abResponse.surname,
        email: abResponse.email, };

     //Callback with the new profile cb(null, profile);
     });
    }

  6. Single Sign-On - on-off switch for enabling/disabling SSO as an authentication method.

Related articles

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.