SSO and Authentication

flare supports logging into the platform with sp initiated single sign on using a saml provider (such as microsoft azure active directory and okta) and with google configuring sso only organization administrators may configure single sign on navigate to the sso configuration page open the team page click edit on the right panel under sso configuration , select your desired identity provider understanding the configuration states there are two configuration options for sso enabled logging in with sso is allowed but not mandatory organization members can still chose to log in using their flare password mandatory organization members may only login using sso they cannot use password authentication api access will only be allowed with api keys choose your provider if your organization is using google as an identity provider, there is no additional configuration that is needed simply selecting "google" will be enough to allow your organization members to login with their google accounts the email of the google account must match the email of the organization member in flare if your organization is using a saml supporting identity provider, such as microsoft azure ad, you need to provide two configuration values for more information on obtaining these configuration values from the azure portal, please read the guide below metadata url points to the metadata configuration of your saml provider mapping email used to map flare's email attribute to matching attributes in your saml identity provider testing and enabling sso to test and enable single sign on browse to the flare team page and check the enable option do not make it mandatory for now log out from flare attempt to log back in by choosing log in with sso you should get redirected to your identity provider for authentication in the case where you are already connected, you should be instantly redirected to flare's home page if you were not connected, your identity provider will ask for your credentials if succesful, you can browse back to the team page and set sso as mandatory from this point on, users in your organization will only be able to log in with that method, and password authentication will be disabled configuring microsoft azure entra id navigate to enterprise apps in your entra id tenant and click on new application you should now be in the entra app gallery, click on create your own application this should open a drawer similar to the screenshot below give the application a representative name like flare sso , leave integrate any other application you don't find in the gallery (non gallery) selected in the what are you looking to do with your application? section click create application and wait for entra to create it click on set up single sign on click on saml edit the basic saml configuration set the identifier to urn\ amazon\ cognito\ sp\ us east 1 eds7l4vuu set the reply url to https //sso firework flared io click save at the top of the drawer you should now be able to fill out the required fields in the sso configuration screen in flare paste the app federation metadata url from the saml certificates section to the metadata (url) field in flare paste the corresponding claim from the attributes & claims section to the mapping email field in flare the format of this field is http //schemas xmlsoap org/ws/2005/05/identity/claims/$claim name where $claim name corresponds to email attribute in entra in the example screenshot, this could either be http //schemas xmlsoap org/ws/2005/05/identity/claims/name or http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress depending on your entra user distribution if you have customized claims, you might need to use a different metadata url you can find it by navigating to the app registration you just created click on the managed application in local directory link in the left sidebar, under manage , select single sign on if a new custom signing has been used, you should see a section called certificates copy the value from federation metadata document set the value metadata url in flare to the value you just copied azure entra id should now be correctly configured configuring okta flare settings metadata url taken from okta in the "sign on" subtab of the application mapping email http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress okta settings single sign on url https //sso firework flared io/saml2/idpresponse audience uri urn\ amazon\ cognito\ sp\ us east 1 eds7l4vuu application username email then, create an additional attribute statement name http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress format basic value user email configuring jumpcloud jumpcloud config app creation user authentification > add new application > custom application custom application features manage single sign on (saml) save application app config sp entity id urn\ amazon\ cognito\ sp\ us east 1 eds7l4vuu acs url https //sso firework flared io/saml2/idpresponse samlsubject nameid email samlsubject nameid format urn\ oasis\ names\ saml 1 1\ nameid format\ unspecified declare redirect endpoint yes creating a user attribute service provider attribute name http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress jc attribute name email flare config metadata url obtain from copy metadata url in jumpcloud mapping email http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress related articles