In this article we will provide information about how to set up SSO (single-sign-on) between your Identity Provider (IDP) and fynk in no time.

To establish SSO login capabilities with fynk, you can use any Identity Provider (IDP) that supports SAML2, such as Entra ID (Azure AD), Okta, or Google Workspace.

You will need assistance from an IDP Admin to set up SSO. Additionally, a user with the "Admin" or "Owner" role in fynk is required to access the SSO setup page.

This setup process can be completed by two individuals working together: a fynk account owner or admin and an IDP admin. Alternatively, it can be done by an IDP admin who also has a fynk user account with "Admin" or "Owner" role. If the IDP admin only needs access temporarily for the SSO setup, you can remove their user account afterward.

Any fynk user with an "Admin" or "Owner" role can invite the IDP admin as a user.

To access SSO configuration settings within your fynk account, go to your account settings:

Now, switch to the "Integrations" Tab and click on "Configure":

You will now see the SSO configuration:

for your IDP, you will only need the ACS URL and SP Entity ID URL.

If you provide a metadata URL from your IDP, everything you need will automatically be set up, which ist the most convenient way.

The Metadata URL has another big advantage, because it will regularly sync the metadata and hence you will never have to manually change your certificate.

Setting up SSO between Entra ID and fynk is really simple.

First you need to create a new non-gallery enterprise application. You can do so by navigating to the Entra Gallery and clicking on [+ Create your own application]:

Then, in the menu on the right, select [Non-gallery] application and give it a name (fynk would be great 🤩)

Afterwards, hit the button on the bottom of the menu.

The app is now created and can be used to configure SSO. For this, enter the app and click on [Set up single sign on]:

Select [SAML]:

You will see a screen like below. Click on [Edit] to the right of step one:

Here, just add an Identifier and a reply URL. Copy these here from your fynk application:

The ACS Url from fynk needs to be copied to the [reply URL] field in EntraID.
The SP Entity Id Url from fynk needs to be copied to the [Identifier(Entity ID)] field in EntraID.

After that you need to copy the Federation Metadata URL from EntraID:

And copy it into the [Metadata URL] field in fynk:

After that, just click the button next to the metadata url in fynk.

Now just hit the button to save the configuration.

Everything should be working now. Remember, that users/groups might need to be added to the enterprise application in order to be granted access.

All permitted fynk users should now be able to login via https://app.fynk.com/sso/login

In some cases you will also need to manually map the attribute SubjectNameID to the users Email address (since the user will be identify via the email address and the mapping will be done via SubjectNameID).

Setting up SSO between Okta and fynk is really simple.

First you need to create a new application in Okta. You can do so by navigating to admin section within Okta and clicking on [Add App]:

Then, on the next screen, select [Create New App] and give it a name (fynk would be great 🤩)

In the next step, select SAML 2.0 and click next:

You will see a screen like below. Here, just add an Identifier and a reply URL. Copy these from your fynk application. You can easily copy them using the buttons on the right:

The ACS Url from fynk needs to be copied to the [Single sign-on] field in Okta.
The SP Entity Id Url from fynk needs to be copied to the [Audience URI(SP Entity ID)] field in Okta.

After that you need to copy the Federation Metadata URL from Okta:

And copy it into the [Metadata URL] field in fynk:

After that, just click the button next to the metadata url in fynk.

Now just hit the button to save the configuration.

Everything should be working now. Remember, that users/groups might need to be added to the Okta application in order to be granted access.

All permitted fynk users should now be able to login via https://app.fynk.com/sso/login

In some cases you will also need to manually map the attribute SubjectNameID to the users Email address (since the user will be identify via the email address and the mapping will be done via SubjectNameID).

After you've successfully set up SSO with the Identity provider of your choice, you can enforce the login via SSO. By doing so, the users cannot login with their normal user/pw combination anymore, which means you can restrict things like:

and much more.

Enforcing SSO login is only possible when:

Now you just need to visit the Single Sign On settings in fynk and hit [Enforce SSO]