SAML SSO is included for customers with Enterprise plans and is available for Enterprise organizations. If you’d like to upgrade to an eligible account, please contact Sales. SAML currently applies to an organization when enabled and is not available on a per-team or per-user basis.
How it works
The SSO user experience for organization members is outlined in the sections below.
Members of an SSO organization
Members of an SSO-enabled organization have an email address that includes the organization's email domain, for example, @flowcode.com, that was configured during the SSO setup. You can think of these members as internal members of the organization. Members of an SSO organization experience the following process:
User submits the Flowcode login form with their email address.
User is redirected to the configured IdP.
The IdP authenticates the user and then redirects the user to the Flowcode platform.
External members
An external member is anyone in the organization using an email address on a different domain than what's configured for SSO, for example, @gmail.com. New and existing external members of the organization are not affected when SSO is enabled. External users are not redirected to the configured IdP and experience no change in behavior when logging in. External members experience the following process:
User submits the Flowcode login form with their email address.
User is authenticated and taken to their Flowcode platform.
Manage users
Flowcode organization administrators can manage members and teams with the My Org section of the platform. Access can also be directly provisioned through your SSO configuration.
Configure your IdP
Refer to your IdP for general SAML 2.0 setup instructions. Additionally, you will need to enter the following info:
Single Sign-on URL: https://authn.flowcode.com/auth/saml/callback
Audience Restriction / SPEntity: Flowcode
Group Attribute Statements: [insert group attribute statements]
Name: groups
Filter: .*
Using this information, create a new SAML application for provisioning access to Flowcode with your IdP. Once you have set up the new SAML application, share the XML file with the metadata for the application and its SSO configuration with the Flowcode team so that we can complete the setup for your organization.
Can I immediately turn SSO on?
The process is quick, but both you and your Client Success Manager do have a few things to set up to make it happen. Please give a 7 day leeway prior to SSO launch.
Can any member of an organization sign on with SSO?
No, members have to be listed by the company. That is the beauty of SSO, it lets you determine who gets access and who does not get access to Flowcode vs. manually removing people from orgs. Any employee could attempt to signup with their email, but if it is an email domain we have listed as an SSO client they will be blocked from signing up with their work account and told to contact an admin from their team.
So if I am on the list for SSO, how do I log in?
You just log in exactly how you normally would. Visit flowcode.com/signin. When you enter your email the password piece to logging in will disappear and you will be prompted to click SSO. This will work whether or not you have logged in before.
If I make a code on the homepage generator and then try to create an account and I am in an SSO company what happens?
You will lose the code you created, but you will be able to log in to your new account
Are admins and members treated differently for this?
No, if you are invited as an admin you will be an admin when you first sign in via SSO. If you were invited as a member, it will be the same.
What happens if I leave the company of an SSO-enabled org?
Your IT department will remove you from the Identity Provider (Azure/Okta) so you lose access to all of your applications, Flowcode included. But while you won’t be able to access you account, we still recommend the Org Admin manually remove you from the org so all your assets get transferred back to the admin.
Troubleshooting
Logging in using email and password
If you are a member of an SSO organization you will automatically be rerouted to your IdP if you enter your email address with your organization’s email domain when logging in and you will not be able to log in via email and password.
Logging in using a Google account
If you are a member of an SSO organization and have an email tied to a Google account you will still be redirected through your IdP if you try to log in using Google social.
If you have questions, please email our support team at [email protected] or reach out to your dedicated Client Success Manager.