Front Help Center
Log in to Front
Contact us
Need help with Front?
In this article
OverviewPrerequisitesEnable single sign-onUpdate the SSO certificateRecommendationsInstructionsDisable single-sign onFAQHow is this different from signing in with Google/Office 365?Can I enable SSO just for a few users?Will users be logged out once I enable SSO?Does my email in Front need to match the email in my identity provider?Can I utilize a shared login email after I enable SSO or bypass SSO just for this one account?Can I sign in through any other URLs if I can't access my identity provider?Which Microsoft Entra subscription supports Front's SSO?Do you support user provisioning through an IdP?What should we expect when changing our Identity Provider (IdP) with SSO enabled in Front?Pricing
Home
Browse knowledge base
Getting started
For your team
Teammates
Front login options

Single sign-on (SSO)

Edited

🚩 Caution: Changes to SSO settings can affect all users on your platform and their ability to access Front. Please contact us for assistance before making this transition if you have any questions.

Overview

Single sign-on is an authentication protocol that allows you to sign in to multiple applications one centralized authentication. Front supports single sign-on (SSO) using any SAML-based identity provider (IdP).

The setup guides for specific identity IdPs are below:

Prerequisites

  • You will need administrative access to your respective IdP

  • You must be a Front company admin

  • You must have the Scale plan or above with Front

Enable single sign-on

Step 1

Click the gear icon on the top right of Front and into the Company settings tab. Select Preferences and then click the Single sign on tab.

Step 2

Use the dropdown and select the SAML option. This is currently the only option available to enable SSO in Front.

Front will ask you to provide the following information:

  • Entry point: corresponding to your identity provider URL which will receive authentication requests.

  • Authentication request binding: the authentication method to request the user to be authenticated with (HTTP Redirect or HTTP Post).

  • Requested authentication context: the authentication method Front will request the user follow. Select Disabled if users follow any other method other than PasswordProtectedTransport. Disabled is also recommended for teams using Microsoft Entra ID as their IdP.

  • Signing certificate: to verify the signature of the responses received by our Service Provider.

Click Save.

Step 3

Front will automatically provide the values you need to add Front as a SAML 2.0 Service Provider to your identity provider.

You'll see the following fields in a new Service provider settings section:

  • Entity ID: the identifier of our Service Provider.

  • ACS URL: the URL of our Service Provider which will receive the SAML assertions.

  • Name ID Format: the format of the name ID to use in SAML assertions.

  • Encryption certificate: the certificate to encrypt SAML assertions.

Update the SSO certificate

Making changes to your team’s SSO configuration doesn’t invalidate existing sessions or log teammates out, but it will affect any new sign-on. Before proceeding:

Recommendations

  • Keep a copy of the certificate you’re replacing in case the new one is invalid.

  • Keep one admin session signed in while testing the new certificate to avoid being locked out.

Instructions

Step 1

Click the gear icon on the top right of Front and into the Company settings tab. Select Preferences and then click the Single sign on tab.

Step 2

Update the Signing certificate and click Save.

Step 3

Test sign-on with another account.

Disable single-sign on

Step 1

Click the gear icon on the top right of Front and into the Company settings tab. Select Preferences and then click the Single sign on tab.

Step 2

Use the dropdown menu at the top to select Disable.

Step 3

Click Save to confirm your changes.

Your users may need to follow the "forgot password" workflow or set up OAuth (Sign in with Google or Office 365) upon their next login. See this article to learn more.

FAQ

How is this different from signing in with Google/Office 365?

The options on our login page (pictured below) utilize the OAuth standard similar to when you click Sign in with Google on any other website. The configuration described in this article is for a SAML-based authentication.

If you are interested in signing in with SSO using OAuth simply select the Sign in with Google or Sign in with Office 365 options on the login page. Company admins can also require all teammates to sign in using OAuth by following the steps here.

Can I enable SSO just for a few users?

No. SSO can only be enabled at the company level and will require all users to authenticate using their IdP from that point forward.

Will users be logged out once I enable SSO?

Users are not automatically logged out by enabling SSO. Once you enable SSO upon a user's next login attempt they will be redirected to your SSO provider (as shown below). While a user will not be forced to log out of their existing session, they may encounter a session timeout if their idle time matches your company settings.

Does my email in Front need to match the email in my identity provider?

Generally speaking, yes. Some providers give you the ability to configure custom mappings however such that the email address associated with your user profile in Front may not need to match the one configured in your IdP. It is recommended that you ensure each user's login email is updated to match your IdP before enabling SSO.

Can I utilize a shared login email after I enable SSO or bypass SSO just for this one account?

While you can't bypass SSO for any account once enabled in Front, many providers give you the ability to utilize custom mappings for scenarios like this. Check directly with your provider to see if they support this type of configuration.

Can I sign in through any other URLs if I can't access my identity provider?

We do not provide a backup log-in URL where users can sign-in using their normal username and password. If you are unable to access the platform and have enabled SSO through an IdP, please contact us.

Which Microsoft Entra subscription supports Front's SSO?

All versions of Microsoft Entra ID support SSO. The only difference would be the number of SSO integrations you can have on your side - 10 vs. unlimited. 

Do you support user provisioning through an IdP?

User provisioning is fully supported for the Identity Providers (IdPs) listed here.

Front SCIM user provisioning functionality is accessible on Microsoft Entra ID P1 or Microsoft Entra ID P2 plans. See Microsoft's documentation for more information.

What should we expect when changing our Identity Provider (IdP) with SSO enabled in Front?

When changing your IdP, you’ll need to update your Single Sign-On (SSO) configuration settings in Front to match the new provider’s details, including certificates and SAML settings. Generally, this change won’t affect other features, like email channels, as SSO manages authentication, while Front manages authorization through OAuth tokens. However, if any tokens are invalidated during the switch, re-authorization may be needed.

It’s also a good idea to review any IdP-specific settings or roles that might impact Front, especially if there are changes to user groups within your new IdP. If you’re using user provisioning, ensure that user roles, groups, and access levels are correctly mapped in the new IdP to maintain seamless access to Front.

Pricing

This feature is available on the Scale plan or above. Some legacy plans may also have this feature.

sso
single sign on
Support Report
Front StatusPrivacy NoticeSaaS Services Agreement
Powered by Front