Simplify the access to Frontify for all your employees by using Single Sign On. This FAQ builds on the basic information you find here: Single Sign On (SSO) - Fast and convenient login for employees
Does Frontify support IDP (Identity Provider) initiated logins?
No, we only support SP (Service Provider) initiated logins.
Does this application support JIT (Just-in-time) provisioning of users?
Yes, we use JIT provisioning of users so non-existing user accounts will be created automatically. We’re unable to deactivate this.
Can we use Azure AD, OneLogin, or any other system as identity provider (IDP)?
Yes, the only requirement is that it provides SAML 2.0 or OpenID Connect (OIDC).
Can we use Oauth?
Yes, it is possible, but requires detailed clarification. Let's schedule a call with your Customer Success Manager.
Can we use multiple IDPs with Frontify SSO?
We have the possibility to configure two IDPs on domain level, which means we have two communication channels per domain. If you need to connect more than two IDPs you need to make sure to bundle your IDPs. An alternative would be to have several domains with one or two SSO configurations each. This has to be discussed first with your Customer Success Manager.
Can we combine different types of authentication?
You can use only one authentication type (e.g. SAML) per domain.
Does Frontify support IDP logout?
Yes, we support IDP-initiated logout for SAML setups.
Does Frontify support SP logout?
Yes, we support SP-initiated logout for SAML setups.
Is it possible to force SSO for login?
Yes. This function would deactivate the possibility of having external users logging into your environment. Also, the possibility of using password reset is not available. The account administrators can exclude single users from SSO force via user overview by opening the lock icon (e.g., for your Customer Success Manager, Frontify Support, etc.)
Do we have a test environment that we could perform the integration in before we move to production?
Usually, we do this in the live environment. A test solution is possible, however, the corresponding efforts have to be clarified with the Customer Success Manager. Please note that with a test system, we would test on a different URL; this means we cannot test a configuration 1:1.
How do we test SSO?
After activating SSO, an additional button appears on the Frontify login page, which triggers the SSO process. This also means that the starting point for the login is always the Frontify login page.
What happens when the Frontify certificate expires?
Frontify contacts the affected customers, via the contacts known to us, at an early stage with a specific time frame. Certain systems are able to update the new metadata automatically. For others, a manual exchange would be necessary. We will provide the new certificate together with the announcement. In exceptional cases, we may be able to coordinate alternative dates in favor of our customers.
What happens when the IDP certificate expires?
Frontify cannot automatically collect the new certificate. Therefore, it’s necessary for the customer to contact Frontify Support early to coordinate the exchange.
Why do I have a SmartGroup "All Users @mydomain" after SSO is activated?
This SmartGroup allows you to automatically promote users to the group without any action from your side. This group has the default rule that all logged-in users belong to it. SmartGroups can be configured with additional rules such as login method, email domain restrictions, or regional segmentation. Just reach out to your Customer Success Manager, or directly to Support.
Is it possible to combine SSO with the User Groups feature?
Yes, you can independently add users to existing groups via SSO. Find out more in our User Groups with Single Sign On (SSO) help article.
Which plan do I need to have SSO available?
You can benefit from Single Sign On with our Enterprise plans.
If you have a question that we haven’t covered here, don't be shy. Reach out and we’re happy to help.