How to Set Up Single Sign-On (SSO)
We encourage all customers to integrate with our platform using single sign-on. Please find the below instructions on how to set up Single Sign-On.
How does SSO Work?
There are two main ways SSO can be set up:
1) SP initiated: User goes to FundApps login page, enters his/her email, and gets redirected to the Identity Provider for authentication. This requires users to type in email but no password.
2) IDP Initiated: User goes to their SSO first and chooses the link to FundApps to login
This article has two sets of steps to follow - pick the set of steps based on your identity provider. Follow the General Steps for any identity provider other than ADFS. Follow the ADFS-specific steps if you are using ADFS as your identity provider.
Technical notes before we begin:
- FundApps supports both IdP-initiated and SP-initiated sign-in.
- Accounts are matched using an email address.
- Provisioning of accounts (including allocation of user roles) is performed manually within FundApps itself.
- SAML requests must be signed with SHA256 (both the digest and the signature).
Which Single Sign-On connections are supported?
FundApps supports five types of Single Sign-On:
- OKTA
- Azure AD Web Application
- AzureAD SAML 2.0
- SAML 2.0
- ADFS
Where can I configure Single Sign-On?
Log in to your FundApps platform and navigate to the Administration
(🛠️) tab, click on the Setup
drop-down list, and select SSO
.
Note: Users would have to re-enable Two-Factor Authentication if they previously had Two-Factor Authentication active. The current 2FA setup would be hosted by auth0. Please refer to this article on how to set up Two-Factor Authentication.
Where can I find help on how to configure Single Sign-On?
Please refer to the relevant page below for instructions on setting up your Single Sign-On connection.
FundApps SSO Connection - Okta
FundApps SSO Connection - Azure AD Web Application
FundApps SSO Connection - Azure AD SAML 2.0
FundApps SSO Connection - SAML 2.0
FundApps SSO Connection - ADFS
How do I make sure my new SSO connection works?
Once a new SSO connection has been set up, it can be tested by pressing the “Try” button.
You will be taken to your IDP and asked for your credentials. Upon entering your credentials, one of the following things will happen:
- If everything has been set up correctly both in FundApps and in your IDP, you will see a “Success” message.
- If anything is incorrect on the IDP side, you will see an error message from your IDP.
- If anything is incorrect on the FundApps side, you will see an error message coming from the auth.fundapps.co domain.
Once the connection has been set up successfully, if you are already on the new login experience, you will see a new button on the FundApps login page that can be used to log in with SSO. See the example below.
The old login experience looks like this:
The new login experience will look like this:
How do I make Single Sign-On Mandatory to log in to FundApps?
Configuring Mandatory Single Sign-On