Overview
We encourage all customers to integrate with our platform using a single sign-on (SSO). There are two main ways SSO can be set up:
SP initiated: The user goes to the FundApps login page, enters his/her email, and gets redirected to the Identity Provider for authentication. This requires users to type in email but no password.
IDP Initiated: The user goes to their SSO first and chooses the link to FundApps to login
This article has two sets of steps to follow - pick the set of steps based on your identity provider. Follow the General Steps for any identity provider other than ADFS. Follow the ADFS-specific steps if you are using ADFS as your identity provider.
Technical Notes Before Beginning
FundApps supports both IdP-initiated and SP-initiated sign-in.
Accounts are matched using an email address.
Provisioning of accounts (including allocation of user roles) is performed manually within FundApps itself.
SAML requests must be signed with SHA256 (both the digest and the signature).
Which Single Sign-On connections are supported?
FundApps supports five types of Single Sign-On:
OKTA
Azure AD Web Application
AzureAD SAML 2.0
SAML 2.0
ADFS
Where can I configure Single Sign-On?
Log in to your FundApps platform and navigate to the Administration (๐ ๏ธ) icon, click on the Setup drop-down list, and select SSO.
Note: Users who previously had two-factor authentication active would have to re-enable it. The current 2FA setup would be hosted by auth0. Please refer to this article on how to set up two-factor authentication.
Where can I find help on how to configure Single Sign-On?
Please refer to the relevant page below for instructions on setting up your Single Sign-On connection.
How do I make sure my new SSO connection works?
Once a new SSO connection has been set up, it can be tested by pressing the Try button.
You will be taken to your IDP and asked for your credentials. Upon entering your credentials, one of the following things will happen:
If everything has been set up correctly both in FundApps and in your IDP, you will see a success message.
If anything is incorrect on the IDP side, you will see an error message from your IDP.
If anything is incorrect on the FundApps side, you will see an error message coming from the auth.fundapps.co domain.
Once the connection has been set up successfully, if you are already on the new login experience, you will see a new button on the FundApps login page that can be used to log in with SSO. See the example below.
The old login experience looks like this:
The new login experience will look like this:
How do I make Single Sign-On Mandatory to log in to FundApps?
Follow the instructions laid out in this article, Configuring Mandatory Single Sign-On.