Simplify the access to Frontify for all your employees by using Single Sign On. This FAQ builds on the essential information you find here: Single Sign On (SSO) - Fast and convenient login for employees
Does Frontify support IDP (Identity Provider) initiated logins?
No, we only support SP (Service Provider) initiated logins.
Does this application support the JIT (Just-in-time) provisioning of users?
Yes, we use JIT provisioning of users so that non-existing user accounts will be created automatically. We're unable to deactivate this.
Does this application support the SCIM (System for Cross-domain Identity Management) provisioning of users?
No, we don't support SCIM provisioning.
Off-boarded employees that are removed from a company directory lose access to email so they won't be able to log in to Frontify. And as those users can't log in they will not be counted as an MAU (monthly active user).
Can we use Azure AD, OneLogin, or any other system as identity provider (IDP)?
Yes, the only requirement is that it provides SAML 2.0 or OpenID Connect (OIDC).
Can we use OAuth?
Yes, it is possible but requires detailed clarification. Let's schedule a call with your Customer Success Manager.
Can we use multiple IDPs with Frontify SSO?
We can configure two IDPs on the domain level, which means we have two communication channels per domain. If you need to connect more than two IDPs, you need to make sure to bundle your IDPs. An alternative would be to have several domains with one or two SSO configurations each. This has to be discussed first with your Customer Success Manager.
Can we combine different types of authentication?
You can use only one authentication type (e.g., SAML) per domain.
Does Frontify support IDP logout?
Yes, we support IDP-initiated logout for SAML setups.
Does Frontify support SP logout?
Yes, we support SP-initiated logout for SAML setups.
Is it possible to force SSO for login?
Yes. This function would deactivate the possibility of having external users logging into your environment. Also, the possibility of using a password reset is not available. The account administrators can exclude single users from SSO force via user overview by opening the lock icon (e.g., for your Customer Success Manager, Frontify Support, etc.)
Do we have a test environment in which we could perform the integration before moving to production?
Usually, we do this in a live environment. A test solution is possible. However, the corresponding efforts have to be clarified with the Customer Success Manager. Please note that with a test system, we would test on a different URL; this means we cannot test a configuration 1:1.
How do we test SSO?
After activating SSO, an additional button appears on the Frontify login page, which triggers the SSO process. This also means that the starting point for the login is always the Frontify login page.
What happens when the Frontify certificate expires?
Frontify contacts the affected customers via the contacts known to us at an early stage within a specific time frame. Certain systems can update the new metadata automatically. For others, a manual exchange would be necessary. We will provide the new certificate together with the announcement. In exceptional cases, we may be able to coordinate alternative dates in favor of our customers.
What happens when the IDP certificate expires?
Frontify cannot automatically collect the new certificate. Therefore, the customer must contact Frontify Support early to coordinate the exchange.
Is it possible to combine SSO with the User Groups feature?
Yes, you can independently add users to existing groups via SAML SSO. Find out more in our User Groups with Single Sign On (SSO) help article.
Which plan do I need to have SSO available?
You can benefit from Single Sign On with our Enterprise plans.
If you have a question that we haven't covered here, don't be shy. Reach out, and we're happy to help.