Skip to main content

SSO & SAML

Enable single sign-on (SSO) so your team members authenticate through your organization's identity provider (IdP).

Supported Providers

FlowStack supports SAML 2.0 SSO with any compliant identity provider:

  • Okta
  • Azure Active Directory (Entra ID)
  • Google Workspace
  • OneLogin
  • JumpCloud
  • Auth0
  • PingFederate
  • Any SAML 2.0 compliant IdP

Setup Overview

  1. Configure FlowStack as a Service Provider (SP) in your IdP
  2. Enter your IdP's SAML metadata in FlowStack
  3. Test the SSO connection
  4. Enable SSO enforcement (optional)

Step-by-Step Configuration

1. Get FlowStack's SP Information

Go to Settings → Security → SSO and copy:

FieldValue
ACS URLhttps://app.onflowstack.com/api/v1/auth/saml/callback
Entity IDhttps://app.onflowstack.com
Name ID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

2. Configure Your IdP

In your identity provider's admin console:

  1. Create a new SAML application
  2. Enter FlowStack's ACS URL and Entity ID
  3. Set the Name ID to the user's email address
  4. Map attributes:
    • email → User's email (required)
    • firstName → User's first name (optional)
    • lastName → User's last name (optional)
  5. Download the IdP metadata XML (or copy the SSO URL and certificate)

3. Configure FlowStack

Go to Settings → Security → SSO and enter:

  • IdP SSO URL — The login URL from your IdP
  • IdP Certificate — The X.509 certificate (PEM format)
  • IdP Entity ID — Your IdP's entity ID

Or upload the IdP Metadata XML to auto-fill all fields.

4. Test

Click Test SSO Connection to verify the configuration. You'll be redirected to your IdP's login page and back to FlowStack.

5. Enable

Toggle SSO Enabled to activate. Optionally enable Enforce SSO to require all users to authenticate via SSO (disabling email/password login).

User Provisioning

Just-in-Time (JIT) Provisioning

When SSO is enabled, new users are automatically created in FlowStack when they first sign in through your IdP. They're assigned the default role (Editor) unless configured otherwise.

SCIM Provisioning (Enterprise)

For automatic user lifecycle management:

  • Create/update/deactivate users from your IdP
  • Sync group memberships to FlowStack roles
  • SCIM 2.0 endpoint: https://app.onflowstack.com/api/v1/scim

Availability

SSO is available on Enterprise plans only. Contact support@onflowstack.com for Enterprise pricing.