Skip to main content
All CollectionsPlatformSingle Sign-On (SSO)
SSO: Frequently Asked Questions (FAQ)
SSO: Frequently Asked Questions (FAQ)

A selection of frequently asked questions about Single Sign On.

Updated over 4 months ago

Simplify the access to Frontify for all your employees by using Single Sign On. This FAQ builds on the essential information you find here: Single Sign On (SSO) - Fast and convenient login for employees

Does Frontify support IDP (Identity Provider) initiated logins?

No, we only support SP (Service Provider) initiated logins.

Does this application support the JIT (Just-in-time) provisioning of users?

Yes, we use JIT provisioning of users so that non-existing user accounts will be created automatically. We're unable to deactivate this. 

Does this application support the SCIM (System for Cross-domain Identity Management) provisioning of users?

No, we don't support SCIM provisioning.

Off-boarded employees that are removed from a company directory lose access to email so they won't be able to log in to Frontify. And as those users can't log in they will not be counted as an MAU (monthly active user).

Can we use Microsoft Entra (Azure AD), OneLogin, or any other system as identity provider (IDP)?

Yes, the only requirement is that it provides SAML 2.0 or OpenID Connect (OIDC).

Can we use OAuth?

Yes, it is possible but requires detailed clarification. Let's schedule a call with your Customer Success Manager.

Can we use multiple identity providers with Frontify SSO?

We can configure two Identity Providers (IdPs) for each domain with SAML SSO, meaning each domain can support two communication channels. If you need to connect more than two IdPs, you'll need to consolidate your IdPs.

With OpenID Connect (OIDC), we support one configuration per domain.

Alternatively, you can use multiple domains, each with one or two SSO configurations depending on the type. This approach has to be discussed with your Customer Success Manager before proceeding.

Can we combine different types of authentication?

You can use only one authentication type (e.g., SAML) per domain.

Does Frontify support IDP logout?

Yes, we support IDP-initiated logout for SAML setups.

Does Frontify support SP logout?

Yes, we support SP-initiated logout for SAML setups.

Is it possible to force SSO for login?

Yes. This function would deactivate the possibility of having external users logging into your environment. Also, the possibility of using a password reset is not available. The account administrators can exclude single users from SSO force via user overview by opening the lock icon (e.g., for your Customer Success Manager, Frontify Support, etc.).

If a user tries to log in via email and password, they will see a warning saying they must log in via SSO:

Within the user export, we display the SSO user status toggled for hybrid mode, allowing for both Single Sign-On (SSO) and simple login functionalities to be enabled simultaneously.

Do we have a test environment in which we could perform the integration before moving to production?

Usually, we do this in a live environment. A test solution is possible. However, the corresponding efforts have to be clarified with the Customer Success Manager. Please note that with a test system, we would test on a different URL; this means we cannot test a configuration 1:1.

How do we test SSO?

After activating SSO, an additional button appears on the Frontify login page, which triggers the SSO process. This also means that the starting point for the login is always the Frontify login page. 

What happens when the Frontify certificate expires?

Frontify contacts the impacted customers via the contacts known to us at an early stage within a specific time frame. Certain systems can update the new metadata automatically. For others, a manual exchange would be necessary. We will provide the new certificate together with the announcement. In exceptional cases, we may be able to coordinate alternative dates in favor of our customers. 

What happens when the IDP certificate expires?

Frontify cannot automatically collect the new certificate. Therefore, the customer must contact Frontify Support early to coordinate the exchange.

Is it possible to combine SSO with the User Groups feature?

Yes, you can independently add users to existing groups via SAML or OIDC SSO. Find out more in our User Groups with Single Sign On (SSO) help article.

Which plan do I need to have SSO available?

You can benefit from Single Sign On with our Enterprise plans.


If you have a question that we haven't covered here, don't be shy. Reach out, and we're happy to help.

Did this answer your question?