Security & SSO Overview
FrontLine supports enterprise Single Sign-On (SSO) alongside native email/password authentication. Tenant administrators configure authentication policies, SSO providers, and MFA requirements from Settings → Security & SSO.
Authentication modes
| Mode | Description |
|---|---|
| Enterprise SSO — OIDC | OAuth 2.0 + OpenID Connect with PKCE. Recommended for most providers. |
| Enterprise SSO — SAML 2.0 | SP-initiated and IdP-initiated SAML assertion flows. |
| Native email/password | Built-in login with mandatory MFA. Available when SSO is not enforced or for break-glass accounts. |
Supported identity providers (Wave 1)
- Microsoft Entra ID (OIDC and SAML)
- Okta (OIDC and SAML)
- Google Workspace (OIDC and SAML)
- Custom OIDC provider (via discovery URL)
- Custom SAML 2.0 provider (via metadata XML)
Tenant authentication policies
These settings control how users in your tenant authenticate:
| Setting | Default | Description |
|---|---|---|
| Enforce SSO | Off | When enabled, native email/password login is blocked for all users except break-glass accounts. |
| Allow native break-glass | Off | Permits designated admin accounts to use native login even when SSO is enforced. |
| MFA required | On (native accounts) | MFA is mandatory for all native login sessions. Can be elevated to require MFA for all session types. |
| Device trust | On | Allows users to skip MFA for up to 30 days on trusted devices after a successful MFA challenge. |
| Device trust TTL | 30 days | How long a trusted device cookie remains valid (1–90 days). |
| JIT provisioning | Off | Automatically create FrontLine user accounts on first SSO login. |
Pre-configuration checklist
Before setting up SSO, confirm the following:
- You have admin access to your identity provider (Entra ID, Okta, Google Workspace, or custom).
- You know which email domains should route to the SSO provider.
- You have decided whether to enforce SSO (block native login) or allow both.
- You have identified any break-glass accounts that need native login access when SSO is enforced.
- You have decided on a default role for JIT-provisioned users (if enabling JIT).
Go-live checklist
After configuring your SSO provider:
- Test with a pilot user — log in via SSO with one account before enforcing for all users.
- Verify claim mappings — confirm that email, first name, and last name are mapped correctly.
- Check JIT provisioning — if enabled, verify the new user record is created with the correct default role.
- Enable enforcement — once tested, set Enforce SSO to block native login for non-break-glass users.
- Communicate to users — notify your team of the new login flow and the SSO provider they should use.
- Verify break-glass access — confirm designated admin accounts can still log in via native email/password.
tip
Start with SSO enforcement off during initial setup. Enable it only after confirming SSO login works for at least one user.
Next steps
- OIDC Setup Guide — configure OpenID Connect SSO
- SAML Setup Guide — configure SAML 2.0 SSO
- Native Auth & MFA — configure native login, passwords, and MFA