What is SSO and how does it work with CA Flowdock?
Single sign-on (or SSO) allows you to consolidate user accounts for multiple online services using a single identity provider. In other words, it makes life easier for your users by giving them only one username and password for all their tools. SSO is also valuable for administrators since user administration needs to be done in only one location.
When you connect your CA Flowdock organization with a supported SSO provider, users will be able to create a new CA Flowdock account and log in to CA Flowdock using their SSO credentials. Administrators can control whether users must use SSO to log in, or whether they may also have a separate password for CA Flowdock. In addition to provisioning, CA Flowdock SSO supports deprovisioning, meaning that access to your CA Flowdock organization is removed when a user is removed in your SSO provider.
When a user tries to log in at www.flowdock.com with an SSO-enabled account, they will be redirected to your SSO provider in order to log in. Similarly, when a user tries to log in using one of CA Flowdock’s apps, they’ll be directed to the (mobile) website of your SSO provider.
What SSO providers does CA Flowdock support?
CA Flowdock supports SSO providers that use the following technologies:
- SAML 2.0 for authentication
- SCIM 1.1 for deprovisioning
CA Flowdock has been verified to work with Okta, OneLogin and Microsoft Active Directory. If you are unsure as to whether your SSO provider is supported, visit our community page for support.
How can I enable SSO for my organization?
In order to enable SSO, your CA Flowdock organization needs to be on the CA Flowdock Enterprise subscription.
To get started, an admin visit our community page for support. We will send you the configuration details needed to setup CA Flowdock in your SSO service. You will then be able to generate the required configuration details back to us.
Once enabled, existing users can link their CA Flowdock account with their SSO identity using the user account migration page. This page is presented to users when they log in. A link to the page can also be found in your organization’s users list. The users list will show which users have linked their account to their SSO identity. The CA Flowdock user account for new users will be created when they log in for the first time.
During the transition period, users will be able to log in to CA Flowdock using both their SSO identity and their CA Flowdock password. Once the migration period is over, an administrator can disable CA Flowdock password logins and may remove those users who haven’t migrated from the organization. These users will be able to rejoin the organization when they complete the migration.
How does CA Flowdock handle the removal of a user?
CA Flowdock user sessions are kept alive for a long time. With a normal login, as long as the user opens CA Flowdock once every two weeks, they will stay logged in. If a user selects “Remember me” when they login, their sessions will stay alive for three months. This is done on purpose: people use CA Flowdock on average over 7 hours a day, and forcing them to log in often hurts usability.
Because of the rarely expiring sessions, CA Flowdock supports deprovisioning. When a user is removed from an SSO provider, they will be removed from the SSO-enabled CA Flowdock organization at the same time. They will also be removed from any possible child organizations. If the user is logged in to CA Flowdock, they will no longer be able to access any flows or people that are in your organization. If their SSO account is re-enabled, they can rejoin with their old CA Flowdock account.
Some SSO providers support suspending user accounts and reflect this through SCIM too. Suspending a user will log them out of all of their sessions, which will require them to reauthenticate through the SSO provider.
Note that not all SSO providers support SCIM for deprovisioning. Deprovisioning is not supported with these providers. CA Flowdock support will happily help clarify whether SCIM is supported with a specific SSO provider or not.
Can I have non-SSO users?
Administrators of an SSO-enabled organization can create non-SSO users from the organization’s users list. These types of accounts can be useful for e.g. bots.
Users who are always allowed to log in using password or other non-SSO (Rally, Google) methods:
- Users in your organization that have no SSO identity connected