SSO and Authentication

13 min

flare supports sp initiated single sign on (sso) through google or a saml provider, such as microsoft azure active directory or okta google if your organization uses google as its identity provider, no additional configuration is required selecting google from the providers list is all you need to allow members to sign in with their google accounts note that the google account email must match the member's email address in flare saml if your organization uses a saml supporting identity provider, such as microsoft azure ad, you will need to provide the following configuration values metadata url points to the metadata configuration of your saml provider mapping email maps flare's email attribute to the corresponding attribute in your saml identity provider for help obtaining these values from the azure portal, refer to docid\ lbk46kdrtmqf le7yoart configuration modes sso can be configured in two modes enabled sso is available but not required members can still choose to sign in with their flare password mandatory members must sign in using sso password authentication is disabled, and api access is limited to api keys only additionally, sso can be configured at the organization level or at the individual tenant level, making it easy to manage multiple tenants with different identity providers note sso can only be configured by administrators idp initiated sso is currently not supported configuring sso at the organization level follow these steps to configure sso at the organization level navigate to the sso configuration page open the team page click edit on the right panel under sso configuration , select your desired identity provider configuring sso at the tenant level to configured sso through saml, see testing and enabling sso follow these steps to test and enable sso browse to the flare team page and check the enable option do not make it mandatory for now log out from flare attempt to log back in by choosing log in with sso you should get redirected to your identity provider for authentication in the case where you are already connected, you should be instantly redirected to flare's home page if you were not connected, your identity provider will ask for your credentials if successful, you can browse back to the team page and set sso as mandatory from this point on, users in your organization will only be able to log in with that method, and password authentication will be disabled frequently asked questions what identity providers does flare support for sso? flare supports two identity providers saml a widely compatible sso method that works with most identity providers google does flare support per tenant sso? yes organization and tenant administrators can configure sso for each tenant on the tenants page organization administrators can assign users tenant sso as their authentication method on the team page alternatively, tenant administrators can invite new users, automatically assigning their authentication tenant users with tenant authentication can sign in using that tenant's sso if sso is set to mandatory, they must use it when logging in with tenant sso, is my session scoped only to that tenant? no per tenant sso is a standard login option signing in with a tenant's sso does not restrict access to other tenants you belong to how does mfa work with sso? when signing in with sso, flare does not enforce mfa it is the responsibility of your sso provider to require mfa does flare support idp initiated login flows? not yet sso users must initiate the login flow from the flare app this is known as sp initiated sso what is the magic link login option? magic links let you sign in without a password by clicking a link sent to your account's email address magic links are not available for users with mfa configured, as magic links are considered less secure than mfa members of organizations where sso is enforced, as those organizations require full control over authentication methods why is mfa or a magic link required to sign in to flare? flare provides access to sensitive data, and this additional layer of security helps protect both your data and access to the platform password only login is considered insecure, so users must configure mfa before signing in with a password alternatively, magic links can be used to sign in without a password how long do flare sessions last? after signing in, your session remains active for up to one week this duration cannot be configured does flare support sso bypass (break the glass)? does flare support sso bypass (break the glass)? no when sso is enforced in an organization, it applies to all users without exception if you are locked out of sso, please contact flare support related articles