Skip to main content

Domain-based single sign-on (SSO) overview

  • Updated

Single Sign-On (SSO) enables users to log in to multiple applications using a single username and password. With SSO, account and credential management is not handled by Proof but instead by your identity provider (IDP). An identity provider (IDP), like Okta, Microsoft Azure, or Google IdP, manages user handles, accounts, and credential management for organizations engaging with a service provider, like Proof.

Some of the benefits of SSO:

  • The most secure authentication method you can require for your users
  • Full control over user provisioning from your identity provider
  • Seamless onboarding and integration of Proof into your existing processes
  • Requirements apply across all users with your domain

Definitions

  • Service provider (SP) = Proof
  • Identity provider (IDP) = The entity you work with to create, maintain, and manage your identity information

Who can set up SSO

Only Command Center owners and admins can perform the actions below.

Read Command Center Overview for more information about Command Center.

Once SSO is set up by an owner or admin, all users in your organization are affected by the changes.

Requirements to set up SSO

  1. Your company must be a Proof Command Center customer:
  2. You must have authority over a domain to verify with Proof.
  3. You must have an Identity Provider (IDP):
    • Examples include but are not limited to Okta, Microsoft Azure, and Google IDP.
    • If unsure, ask your internal technical contact (IT, engineer, etc.).

What to expect after SSO is enabled

Once SSO is enabled, all users of an organization must sign in to Proof via SSO:

  • Former Proof passwords will no longer work.
    • Owners and admin users with Command Center access are an exception. They will have the option to use a password to login.
  • Former Proof usernames will no longer work if those usernames do not match existing usernames in your organization’s IDP.
  • Individuals with your email domain will not be able to create new separate accounts on the Proof platform.
  • If any users with your email domain already have a separate account on the Proof Platform they will not be able to access the platform if they are not provisioned on your IDP.

If you have any users in your organizations with domains you do not have authority over, you cannot enforce SSO for them. We highly recommend enabling MFA for the organization they have access to. 

Set up SSO

  1. Verify your domain
  2. Set up single sign-on in your Proof account
  3. Set up SAML configurations with your identity provider for SSO

Related articles