CONFIGURE FLARE
Team
SSO and Authentication
14min
flare supports logging into the platform with sp initiated single sign on using a saml provider (such as microsoft azure active directory and okta) and with google configuring sso only organization administrators may configure single sign on navigate to the sso configuration page open the team page click edit on the right panel under sso configuration , select your desired identity provider understanding the configuration states there are two configuration options for sso enabled logging in with sso is allowed but not mandatory organization members can still chose to log in using their flare password mandatory organization members may only login using sso they cannot use password authentication api access will only be allowed with api keys choose your provider if your organization is using google as an identity provider, there is no additional configuration that is needed simply selecting "google" will be enough to allow your organization members to login with their google accounts the email of the google account must match the email of the organization member in flare if your organization is using a saml supporting identity provider, such as microsoft azure ad, you need to provide two configuration values for more information on obtaining these configuration values from the azure portal, please read the guide below metadata url points to the metadata configuration of your saml provider mapping email used to map flare's email attribute to matching attributes in your saml identity provider testing and enabling sso to test and enable single sign on browse to the flare team page and check the enable option do not make it mandatory for now log out from flare attempt to log back in by choosing log in with sso you should get redirected to your identity provider for authentication in the case where you are already connected, you should be instantly redirected to flare's home page if you were not connected, your identity provider will ask for your credentials if succesful, you can browse back to the team page and set sso as mandatory from this point on, users in your organization will only be able to log in with that method, and password authentication will be disabled configuring microsoft azure entra id flare requires 2 values from azure ad in order to use it as an identity provider to obtain the metadata url for a default azure entra id installation browse to your azure active directory in your azure portal in the left menu, click on app registrations click on endpoints copy the value of the federation metadata document and paste it in the metadata url in the flare configuration page if you've customized claims proceed with the next steps for the mapping email, which is used to map the flare email to a matching attribute in your saml identity provider, simply use the value below for a default azure entra id installation if you are unsure what to use here, please contact your azure entra id administrator http //schemas xmlsoap org/ws/2005/05/identity/claims/name available claim types can be found here once both values are entered in flare, click save next, flare must be registered in azure ad to be used as a provider go to azure active directory go to app registrations click on new registration enter for the app name firework for the redirect uri https //sso firework flared io click on register in the essentials section, click on add an application id uri at the top left, click on add set the application id uri to the value below and click save urn\ amazon\ cognito\ sp\ us east 1 eds7l4vuu if you have customized claims, you might need to use a different metadata url you can find it by navigating to the app registration you just created click on the managed application in local directory link in the left sidebar, under manage , select single sign on if a new custom signing has been used, you should see a section called certificates copy the value from federation metadata document set the value metadata url in flare to the value you just copied azure entra id should now be correctly configured configuring okta flare settings metadata url taken from okta in the "sign on" subtab of the application mapping email http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress okta settings single sign on url https //sso firework flared io/saml2/idpresponse audience uri urn\ amazon\ cognito\ sp\ us east 1 eds7l4vuu application username email then, create an additional attribute statement name http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress format basic value user email configuring jumpcloud jumpcloud config app creation user authentification > add new application > custom application custom application features manage single sign on (saml) save application app config sp entity id urn\ amazon\ cognito\ sp\ us east 1 eds7l4vuu acs url https //sso firework flared io/saml2/idpresponse samlsubject nameid email samlsubject nameid format urn\ oasis\ names\ saml 1 1\ nameid format\ unspecified declare redirect endpoint yes creating a user attribute service provider attribute name http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress jc attribute name email flare config metadata url obtain from copy metadata url in jumpcloud mapping email http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress related articles