SAML-based single sign-on (SSO) enables you to provide access to Sift through your identity provider (IDP) for stronger password control and more secure access management.
- Step 1: Configure your identity provider
- Step 2: Set up Sift SSO
- What to expect once after you enable SSO
- FAQ
Configure your Identity Provider
To get started, you’ll need to set up a connection for Sift with your IDP. Select your IDP below for step-by-step instructions.
Set up Sift SSO
Once you’ve configured your IDP, an admin can enable SSO in Sift.
1. In the Sift Console, go to "Account Settings” → "Team" → "Security"
2. Input SAML endpoint URL, Issuer URL, and certificate that you copied from your IDP. To get these fields, you first need to configure your IDP.
3. Click “Test Integration”. This will attempt to log you into Sift through your identity provider.
Note: If your integration fails, you will need to navigate back to the configuration page in Sift manually.
4. Configure additional settings
- Set the default role when a new user logs into Sift using SSO — If a new user launches Sift from their SSO provider before they’ve been invited manually, this will be their default level of access in the Sift Console.
- Set exceptions to SSO — You can enable password access for guest accounts or contractors who don’t have an account with your IDP or for admins/IT managers to access Sift in the event of an IDP outage.
5. Once you’ve configured your integration and SSO settings, click “Save”
What to expect after you enable SSO
Existing users
After you enable SSO, any user whose authentication method has changed will get an email prompting them to connect their Sift account with your IDP. Any users logged into Sift will be forced to logout within one hour and log back in using SSO.
Adding new users
While we don’t currently support automatic provisioning, new users can create a Sift account by accessing the Sift app from your IDP. You can set the default level of access new users have in the SSO configuration located in the additional options menu of the SSO integration page.
Removing users
Users remain logged into the Sift Console for 1 week, so removing them from your IDP does not immediately block their access to the Sift Console. To immediately block access, remove the user using the "Team" page.
FAQ
Q: What happens if my IDP is unavailable and I need to login to Sift?
A: You can give IT/Sift admins the ability to login to Sift with a password or SSO. This way they can still access the Console and disable SSO temporarily if needed.
Q: How does 2FA work with SSO?
A: 2FA only applies to password based logins. If you want 2FA in addition to SSO, please configure that with your IDP.
Q: What happens if there are duplicate accounts for a user?
A: The ability to merge two accounts is on the roadmap. in the meantime, disable the extra account.
Q: Does SSO support non-unique logins?
A: No.
Q: Can I test our SSO integration in sandbox mode?
A: No. If you want to test your integration, we recommend enabling SSO for one user before changing authentication methods for other users.