SSO (Single Sign-On) offers a quick and convenient login method for all employees. With SSO, you can automatically grant viewing access to all, or selected, employees within your company. SSO is available as an add-on for Enterprise accounts. For more details, please refer to our introduction and FAQ.
To begin the SSO setup process, contact your Customer Success Manager.
If you're using MS Entra, you can refer to the example below during the setup.
Frontify is part of the Microsoft Entra App Gallery:
Browse to Identity > Applications > Enterprise applications > Frontify > Single sign-on.
On the Select a single sign-on method page, select SAML.
On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.
Within the Basic SAML Configuration please add those URLs and replace DOMAIN with your current Frontify URL.
Identifier (SP Entity ID): https://DOMAIN/api/auth/saml/metadata/
Reply URL (ACS URL): https://DOMAIN/api/auth/saml/acs/
Sign on URL: https://DOMAIN/api/auth/saml/
Relay State: https://DOMAIN/
Logout URL: https://DOMAIN/api/auth/saml/sls/
* Please be aware that configuring the Relay State and Logout URL as mandatory, rather than optional as offered by Entra, is essential.
After clicking on each claim, you can edit them to be mapped to the Frontify required attributes (User.email, User.FirstName, User.LastName) like this:
From the SAML Signing Certificate section, download the Federation metadata XML file or copy the App Federation Metadata Url and pass it on to your Frontify contact.
Group Mapping with Entra
Please see the general overview on setting up group mapping here.
After adding the groups attribute to your Attributes & Claims, you can choose which Entra groups should be sent to Frontify with users. This is helpful if you have many Entra groups and only want some groups to be mapped to Frontify.
Important to note: assigning groups to the application is separate from user provisioning. You might provision only certain groups to have access to Frontify but what we are referring to in Attributes & Claims are what groups are being sent to Frontify for group mapping.
You can follow the screenshots below to Add group claims:
Recommended: If possible, configure the group claim to send a human-readable group name (not the group object ID / GUID) to Frontify. This will make it easier for Frontify Admins to map Entra groups to Frontify groups.
In Microsoft Entra ID:
For Active Directory–synced groups, this is typically
sAMAccountName.For cloud-only groups, configure the claim to send the
Cloud-only group display names.
Ensure that the value sent in the SAML token exactly matches the group name configured in Frontify. This must be a match whether the text-base group name is sent or the numerical ID.
To do this, a Frontify Admin must add that user group name in the "SSO group mapping" field in Frontify in order to map users to the associated Frontify group:
Detailed information about SSO group mapping can be found in this article.