Single sign-on (SSO)

Implement secure authentication for your team.

Felt provides Single Sign-On (SSO) functionality for Enterprise workspaces. This enables IT to easily manage access through a single authentication source. Felt’s SSO is built upon the SAML 2.0 standard.

This feature is only available on the Enterprise plan. to upgrade.

Requirements

Your workspace is on the Enterprise Plan
You are an admin in your Felt workspace
You have an Identity Provider (IdP) that supports SAML 2.0
You are an admin in your Identity Provider

Supported Identity Providers

Okta
Google
Entra
OneLogin
JumpCloud
Duo
Rippling
Generic SAML 2.0 capable provider

Quick Overview

Enable SSO on for your Enterprise workspace
Configure the SAML connection between Felt and your IdP
- You’ll share 3 fields from your IdP with Felt
- You’ll share 3 fields from Felt with your IdP
- You’ll configure 3 SAML attributes to be shared with Felt
Configure your Felt Enterprise SSO settings

Detailed Steps

Navigate to your Felt workspace, click “Settings”, then “Workspace”
Click “Enable SSO for yourdomain.com” under “Enterprise SSO”
You’ll be asked to confirm that you have admin access inside your IdP. Click “Configure SAML”
In the new tab that has been opened, select your Identity Provider
You will be now guided through a series of steps to configure the SAML connection between Felt and your IdP. These steps may vary between Identity Providers, so follow the details provided in the guide.
1. Create a SAML app inside your IdP
2. Provide the 3 requested fields from your IdP
  1. SAML 2.0 Endpoint
  2. Issuer URL / Entity ID
  3. Certificate
3. Enter the 3 provided fields into your IdP
  1. ACS URL
  2. ACS URL Validator
  3. Audience (EntityID)
4. Configure the 3 required SAML attributes
  1. email
  2. first_name
  3. last_name
5. You can skip Step 5, user role configuration is not used
Click “Finish”
Click “Test Connection” to confirm that the connection was successful
- You may need to add your own user to the new SAML application inside your Identity Provider for this test to succeed.
Click “Finish & go live”
Close the configuration tab and go back to your Felt workspace settings
You may now configure your Felt Enterprise SSO settings
- “Require SSO login”
  - This setting requires that all users on your email domain must login using SSO
  - Users will no longer be able to login using a password if they already had one
  - Admin users are always exempt from this restriction
- “Automatically invite new users”
  - When this setting is on, new users that login to your email domain using SSO will be automatically invited to your Workspace.
    If you reach your member/editor limit, additional logins will create Felt user accounts, but they won’t be added to your Workspace.
  - They will be invited at the “Default permission level” you have set in the “Joining the workspace” section
Inside your IdP, assign users you wish to have Felt access to the new SAML application that was created. Only users you assign will be able to login to Felt.

Frequently Asked Questions

Can users on other email domains still access my Workspace?

Yes. You can still invite users from different email domains to your Workspace. This is true even if you enable “Require SSO login”. That setting only applies to users on your configured SSO email domain.

If I de-provision a user in my Identity Provider, will they automatically be removed from Felt?

No. Felt’s Enterprise SSO implementation supports SAML, which handles access, but not SCIM, which handles automatic provisioning. If you want to remove a user from Felt, you can manually remove them from your Workspace, and their maps will be transferred to an Admin user.

PreviousFor classrooms NextRegional hosting

Last updated 2 months ago

Was this helpful?

Detailed Steps

Navigate to your Felt workspace, click “Settings”, then “Workspace”

Click “Enable SSO for yourdomain.com” under “Enterprise SSO”

You’ll be asked to confirm that you have admin access inside your IdP. Click “Configure SAML”

In the new tab that has been opened, select your Identity Provider

You will be now guided through a series of steps to configure the SAML connection between Felt and your IdP. These steps may vary between Identity Providers, so follow the details provided in the guide.

Create a SAML app inside your IdP
Provide the 3 requested fields from your IdP
1. SAML 2.0 Endpoint
2. Issuer URL / Entity ID
3. Certificate
Enter the 3 provided fields into your IdP
1. ACS URL
2. ACS URL Validator
3. Audience (EntityID)
Configure the 3 required SAML attributes
1. email
2. first_name
3. last_name
You can skip Step 5, user role configuration is not used

Click “Finish”

Click “Test Connection” to confirm that the connection was successful

You may need to add your own user to the new SAML application inside your Identity Provider for this test to succeed.

Click “Finish & go live”

Close the configuration tab and go back to your Felt workspace settings

You may now configure your Felt Enterprise SSO settings

“Require SSO login”
- This setting requires that all users on your email domain must login using SSO
- Users will no longer be able to login using a password if they already had one
- Admin users are always exempt from this restriction
“Automatically invite new users”
- When this setting is on, new users that login to your email domain using SSO will be automatically invited to your Workspace.
  - If you reach your member/editor limit, additional logins will create Felt user accounts, but they won’t be added to your Workspace.
- They will be invited at the “Default permission level” you have set in the “Joining the workspace” section

Inside your IdP, assign users you wish to have Felt access to the new SAML application that was created. Only users you assign will be able to login to Felt.

Frequently Asked Questions

Can users on other email domains still access my Workspace?

If I de-provision a user in my Identity Provider, will they automatically be removed from Felt?