Single sign-on (SSO)
What is single sign-on (SSO)?
SSO is a single sign-on system that allows users to log in to multiple applications using one set of credentials. The user is authenticated with a single sign-on and is considered trusted by the other applications and does not need to enter additional passwords.
The SSO login method can also be used for logging into the FaceUp administration. If you enable SSO in your company, members will log in to the FaceUp administration using their company email without having to create and enter a password.
Which SSO platforms do we support?
We support the OpenID protocol. You can connect FaceUp to Azure Active Directory / Microsoft Entra ID, Okta and other platforms.
How to set up SSO?
1. First, you generate three pieces of information through Azure Active Directory (AAD) or other tool:
- Provider URL (If you use Okta, the provider URL is https://XXX.okta.com, where XXX is the Okta company profile.)
- Client ID
- Client Secret
- Redirect URI:
https://www.auth.faceup.com/oauth2/idpresponse (for EU data hosting)
https://www.us-west-1-auth.faceup.com/oauth2/idpresponse (for US data hosting)
https://www.me-central-1-auth.faceup.com/oauth2/idpresponse (for UAE data hosting)
If you don't know the location of your data, you can find the information in the FaceUp administration in the Settings -> Organization settings.
Tip: Check out the detailed instructions for setting up single sign-on with Azure Active Directory / Microsoft Entra ID
For Okta users, we recommend the Create OpenID Connect app integrations documentation.
2. In the FaceUp administration, go to Settings, where you will find the single sign-on section on the Organization settings tab. Enter the data you have obtained here and confirm with the Save button. SSO can only be used in combination with standard encryption (E2EE encryption cannot be enabled with SSO). Because users do not use a password to log in, it is not possible to set up two-factor authentication at the same time as SSO (except for the member who has enabled SSO).
3. SSO can be turned on and off by a member with access to the main organizational unit and settings. The member who turns SSO on is the only one who continues to log in with an email and password. It is therefore recommended that the main member chooses a really secure password and also secures their account using two-factor authentication, which can be enabled in the FaceUp administration under the My account section (found under the icon with your initials on the bottom left bar) → Security → Two-factor authentication.
When SSO login doesn't work
If you get the error message "You can’t sign in with this email with SSO." when logging into the FaceUp administration after setting up single sign-on, these are the most common reasons:
- The user is not added as a member in the FaceUp administration.
- User didn't click on the link sent via email and didn't completed the SSO setup.
- It is the primary member who has set up SSO and who is not logging in via SSO.