Setting up Single Sign-On in the Formstack Administration Panel
The following is a guide for Organization Admin Users looking to configure single sign-on for their Formstack account to manage users.
Please note: Admin and Standard users can be setup with SSO configuration abilities (Check out this article for more information on editing users)
Article Contents:
Full Walkthrough Video
Step by Step Setup Instructions
- Require Login Via SSO
- Auto Redirect to Identity Provider
- Enable User Creation via SSO
- Enable Quiet Creation
- Bypassing Formstack 2FA
Full Walkthrough Video
Here is a video that walks through the whole process. Below the video is a step by step walk through for a more granular approach.
Step by Step Setup Instructions
- Once you’re logged in as the Admin User on your Account, navigate to the “Single Sign-On’ tab within the Admin panel of your account. Here you will see the main options for setup including; Claiming a Domain, Adding an Authentication Provider, and using Built in Providers (Google/Apple).
Claim a Domain
- You will first want to claim a domain. We have a detailed breakdown of how to do this in this article
Add an Authentication Provider
Note - The next few steps will be unique depending on your identity provider. Check out the following reference articles to continue with the setup.
- SAML for Single Sign-In Login and User Management
- Microsoft Entra ID SSO setup guide (Formerly known as Azure AD)
- OpenID Connect for Single Sign-In Login and User Management
- Troubleshooting SSO
- Start by clicking, "Add Provider". You will be presented with the next screen that will have you select if you are using SAML, or OpenID Connect.
- You will then be presented with the authentication provider configuration.
- Enter the name the provider. This is what will be displayed on the main SSO administration page once created.
- You will notice that your claimed domains are visible in this setup screen.
- You then want to import your Identity Provider metadata. (This can be done via URL, metadata file, or manual entry)
- You can also see our Service Provider metadata on right side of this page.
- Make sure to click "Save Provider" once you have successfully added a display name and imported your metadata.
- Your authentication provider will now be visible on the main SSO configuration page.
- Make sure to toggle on the "Show on Login" button that appears on the right side of your newly added provider. A "Ready to Activate" notice will show until you toggle the button to on.
- This toggle activates the setup and allows it to be displayed when your users access the main login page for Formstack. Once they enter their email, they will be presented with an option to "Login With (Your Provider Name You Created)".
Built in Providers (Google and Apple)
- This option is displayed on the main SSO admin page and will allow your users to login to your Formstack org using their Google, or Apple logins. Please refer to this article for a deeper dive into how the authentication process looks like when using this option.
- If you would like to remove these options on the main Formstack login screen, you can easily toggle off the "Show on Login" button under the built in provider section on the main SSO admin page.
Optional / Additional Settings
Require Login via SSO
- This optional setting requires any users in your organization with an email matching your claimed domain(s) to log in to Formstack using your SSO authentication provider and won’t see a password field when logging in. Organization Admins will still be able to access the Formstack platform using their Formstack credentials as well as via their SSO credentials.
Auto-redirect to Identity Provider
- This option will auto-redirect non-admin users to your identity provider on login after they input their email address. This streamlines the login experience and reduces the amount of clicks on the login page a user will make.
Note: Enabling the "Require Login via SSO" setting will no longer cause users on other organizations with email addresses matching your claimed domains to be blocked from logging in.
Enable User Creation via SSO
- When the ‘Enable user creation via SSO’ feature is enabled, any member of your org who tries to log in to your org using your authentication provider will become a user on your account based on the roles specified in the settings.
Note - You can not create users if you are using the built in provider option (Apple and Google) User creation is only available via a provider your org owns.
Enable Quiet User Creation
- This option will allow you to auto-accept a new Formstack user within your account and skip user invite or password reset emails.
Bypassing Formstack 2FA
This setting, when enabled, allows accounts who enforce two-factor authentication with their SSO provider to bypass Formstack's 2FA when logging in - even if Formstack 2FA is enforced at the organization level. This will prevent users from being asked to use 2FA twice - once by Formstack and once by their SSO provider. This setting can be found under your provider after setup.