How single sign-on (SSO) works

Single-sign on (SSO) allows users to log in to multiple services via one single set of login credentials.

When you use lots of different applications like Flourish, it can be difficult to have to remember unique usernames and passwords for each of them. As well as solving this issue, there are other added benefits of SSO. 

Click on the questions below to find out more!

NOTE: Single-sign on (SSO) is only available as a bolt-on to our Enterprise plans. Get in touch with our Sales team for more information.

Single-sign on (SSO) allows users to log in to multiple services via one single set of login credentials.

This means your users will be able to login via your identity provider and be logged into Flourish with just one click, without having to remember a separate username and password.

There are also added security benefits and administrative benefits of using SSO (see the question below on "why should I use SSO?")

There are a few different reasons why you might want to use SSO, generally related to administrative efficiency and added security:

  • Easy management of users
    • Maintain who has access to Flourish more easily and efficiently within your own system where you manage other services
    • Provide and revoke access centrally when employees join and leave your company
    • Change ownership of a Flourish account when an employee leaves, by simply switching over their ID to a new starter
  • Fewer logins for your users
    • With SSO, your users only need to remember one set of login credentials to access various services you use, including Flourish, avoiding issues with forgetting and resetting passwords frequently
  • Be in control of your own security
    • Authentication happens with your identity provider, so if you have extra security requirements beyond what Flourish provides (e.g. your own MFA or support for Yubikeys) you can ensure your users meet these requirements in order to access Flourish as well
    • There are options to include extra security provisions in your Flourish SSO setup, such as restricting user logins from certain IP addresses or only when connecting via your VPN

Flourish can provide SAML SSO, a widely-supported protocol.

We currently only support IdP initiated login (not SP initiated login). This means that your users can only be logged into Flourish from your identity provider, rather than being directed from Flourish back to your provider.

There are some configuration options that we can use to customise your SSO, including allowing users to also be able to login via a normal Flourish username and password and restricting logins to certain IP addresses or only when connected via your company VPN.

To set up SSO for your company, we need to know a bit about how your identify provider (IdP) is set up.

Typically, we will request a specific file from you that will let us understand how we need to configure SSO for your company, our engineering team will get this set up and then we will supply you with details of our SSO configuration.

As an admin of your company, you will then be able to invite new users to your company, and once they've accepted their invitation, you can add their SAML federation IDs on the My company page.

Your users will now be able to log in to Flourish via SSO!

Once you have SSO set up, as ad admin of your company on Flourish it's easy to manage your users via the My company page.

On the My company page, you'll see buttons next to each user to change or remove their SAML federation ID.

This is how you can easily remove employees who leave your company, or reassign their Flourish account to a new starter or someone else simply by adjusting the ID.

This way, all the leaver's projects will remain part of the company and will now belong to the user who you've reassigned their account to.