/
Set up a Flow SSO/SAML connection

Set up a Flow SSO/SAML connection

Many organizations choose to manage their user logins through SSO/SAML to simplify and control the login process for their users.

On this page:

On this page:

Migration timeline

Beginning in June 2025, all Flow customers with existing SSO/SAML integrations through Pluralsight must begin migrating their connections to be hosted by Flow.

Going forward, all SAML integrations will be created and managed by customers in Flow.

  • Week of June 2, 2025: Customers with existing SAML integration will be notified.

  • June 9 - July 18, 2025: Customers pre-configure and test their new SAML integration in Flow.

  • July 23, 2025: Customers switch to their new Flow SAML integration.

If you do not pre-configure and test your new SAML integration before July 18, 2025, your access to Flow may be lost on July 23 and will need to be manually restored by the Flow team. If you choose to switch to username/password authentication instead of creating a new SAML configuration, reach out to your Flow contact so we can make those arrangements.

Configuration and testing requirements

To configure a SAML connection, you must have:

  • A member of your organization with admin access to your SSO provider to set up the SAML application.

  • A member of your organization with Flow admin access and the Manage Login Settings permission included in at least one of their roles.

    • For the test to succeed, this Flow admin must also have a user in the IdP with the same email as they use to log in to Flow. This is required so we can ensure the admin will continue to have access once the SAML integration is enabled.

We recommend adding an SSO/IdP admin as a Flow admin to simplify SAML integration setup. If this isn’t an option, coordinate the integration setup to work together, since you’ll need to pass information back and forth between Flow and your SSO provider.

Before beginning your SAML integration, decide whether you want your Flow roles managed by Flow or by your SSO provider. If you want your Flow roles managed by your SSO provider, create an attribute to determine roles.

Steps to pre-configure and test your SAML integration

The steps to set up a new SAML integration will vary slightly depending on your SSO provider. Refer to the documentation from your SSO provider for more details on how to set up a new application.

  1. Flow admin

    1. Log in to Flow.

    2. Navigate to Settings > User management > SSO.
      If you don’t see this page, ensure you have the Manage Login Settings permission included in at least one of your roles.

    3. Click Add SAML integration.

    4. In the Configure SAML integration modal, choose an integration name for your SAML integration. This integration name must be unique among SAML integration names in your Flow organization.

      Name your SAML integration section with an Integration name field.

    5. Copy the SP Entity ID/Single Sign On URL/Reply URL (ACS URL) from the modal. Send it to your SSO provider admin. Do not close the modal.

  2. SSO admin

    1. Follow the steps for your SSO provider to create a new SAML 2.0 application.

    2. Add the SP Entity ID/Single Sign On URL/Reply URL (ACS URL) from the modal in Flow to the new SAML application.

    3. Set up attributes for the SAML application. Flow requires attributes for full name and email. The full name can either be made up of one attribute with the entire name, or two attributes for first name and last name. If you’ve decided to use a roles attribute to control Flow roles, set up that attribute as well. Note the names of these attributes and send them to the Flow admin. Attributes are case-sensitive.

    4. Save your new SAML application.

    5. Copy the metadata URL or metadata XML for this SAML application from your SSO provider. Send it to the Flow admin.

  3. Flow admin:

    1. Paste the metadata URL/metadata XML in the Metadata field in the Configure SAML integration modal.

      Metadata URL or MetadataXML field to add metadata to the Flow SAML configuration.

    2. Add the full name attribute(s) to the Full name attribute field(s).

      Full name attribute fields, filled out with firstName lastName as examples.

    3. Add the email attribute to the Email attribute field.

      Screenshot of the email attribute field.

      Make sure you add an email attribute to this field and not an actual email address.

    4. If you choose to manage roles in your SSO provider, add the role attribute to the Roles attribute field. If you choose to manage roles in Flow, check the Manage roles within Flow box.

Once this information has been added to the modal, click Test connection. You’ll be directed to log in to your SSO provider in a new window if you’re not already authenticated. This window will automatically close once authentication is successful. If you’ve configured your integration correctly, you’ll receive a success message in the modal. Click Save configuration.

If your connection test was unsuccessful for any reason, you’ll receive an error message with more details. Resolve any issues until you perform a successful test and save your configuration.

Make sure the Flow admin’s email address exists in the SSO provider; otherwise, the test will not succeed. We require this email to exist to prevent accidental account lockouts when SAML integrations are enabled.

Enable your integration

When you save a SAML integration, Flow does not automatically enable it. You must enable it as a separate step.

Once you’ve confirmed your SAML integration is set up and you’ve assigned users to the integration in your SSO provider, click Enable SSO next to the SAML integration you want to enable. The next time the user tries to log in to Flow, they’ll be prompted to do so through this integration.

Once you enable an SSO integration in your workspace, users can no longer log in with a username and a password. They must log in using SSO.

 

Need support? Create a request with our support team.

Copyright © 2005 - 2025 Appfire | All rights reserved.