Simplify the access to Frontify for all your employees by using Single Sign On. This FAQ builds on the essential information you find here: Single Sign On (SSO) - Fast and convenient login for employees

No, we only support SP (Service Provider) initiated logins.

Yes, we use JIT provisioning of users so that non-existing user accounts will be created automatically. We're unable to deactivate this. 

No, we don't support SCIM provisioning.

Off-boarded employees that are removed from a company directory lose access to email so they won't be able to log in to Frontify. And as those users can't log in they will not be counted as an MAU (monthly active user).

Yes, the only requirement is that it provides SAML 2.0 or OpenID Connect (OIDC).

Yes, it is possible but requires detailed clarification. Let's schedule a call with your Customer Success Manager.

We can configure two IDPs on the domain level, which means we have two communication channels per domain. If you need to connect more than two IDPs, you need to make sure to bundle your IDPs. An alternative would be to have several domains with one or two SSO configurations each. This has to be discussed first with your Customer Success Manager.

You can use only one authentication type (e.g., SAML) per domain.

Yes, we support IDP-initiated logout for SAML setups.

Yes, we support SP-initiated logout for SAML setups.

Yes. This function would deactivate the possibility of having external users logging into your environment. Also, the possibility of using a password reset is not available. The account administrators can exclude single users from SSO force via user overview by opening the lock icon (e.g., for your Customer Success Manager, Frontify Support, etc.).

Within the user export, we display the SSO user status toggled for hybrid mode, allowing for both Single Sign-On (SSO) and simple login functionalities to be enabled simultaneously.

Usually, we do this in a live environment. A test solution is possible. However, the corresponding efforts have to be clarified with the Customer Success Manager. Please note that with a test system, we would test on a different URL; this means we cannot test a configuration 1:1.

After activating SSO, an additional button appears on the Frontify login page, which triggers the SSO process. This also means that the starting point for the login is always the Frontify login page. 

Frontify contacts the affected customers via the contacts known to us at an early stage within a specific time frame. Certain systems can update the new metadata automatically. For others, a manual exchange would be necessary. We will provide the new certificate together with the announcement. In exceptional cases, we may be able to coordinate alternative dates in favor of our customers. 

Frontify cannot automatically collect the new certificate. Therefore, the customer must contact Frontify Support early to coordinate the exchange.

Yes, you can independently add users to existing groups via SAML SSO. Find out more in our User Groups with Single Sign On (SSO) help article.

You can benefit from Single Sign On with our Enterprise plans.
​
​
If you have a question that we haven't covered here, don't be shy. Reach out, and we're happy to help.
​