Single Sign-On (SSO)
Connect your identity provider for centralized authentication
Single Sign-On lets members log in with their company credentials instead of a separate Flint password. Configure SSO in Settings Single Sign-On.
Flint uses WorkOS for SSO, which means we support every identity provider that WorkOS supports.
Supported Providers
We support all major identity providers through WorkOS:
Enterprise SAML Providers: Okta, Azure AD, Google Workspace, OneLogin, JumpCloud, Duo, PingOne, PingFederate, ADFS, Auth0, CyberArk, Salesforce, Oracle, VMware, Rippling, and many more.
OIDC/OAuth Providers: Generic OIDC, Generic SAML, Google, Microsoft, GitHub, Apple, and others.
If your identity provider supports SAML 2.0 or OIDC, it will work with Flint.
Setting Up SSO
Verify Your Domain
Go to Settings Single Sign-On Setup SSO.
First, verify ownership of your email domain:
- Enter your domain (e.g.,
yourcompany.com) - Add the provided DNS TXT record to your domain
- Click Verify
Domain verification ensures only legitimate domain owners can configure SSO.
Configure Your Identity Provider
After domain verification, you'll be redirected to the WorkOS Admin Portal to configure your identity provider.
- Select your identity provider from the list
- Follow the provider-specific instructions
- WorkOS guides you through creating the application in your IdP
- Copy the required values between your IdP and WorkOS
The WorkOS portal provides step-by-step instructions for each provider.
Enable SSO
Once configuration is complete, return to Flint and enable SSO. Members can now log in with company credentials.
SSO Login Flow
- User clicks Sign in with SSO on the login page
- User enters their work email
- Flint looks up the organization by email domain
- User is redirected to their identity provider
- After authenticating, user is redirected back to Flint
- Flint creates a session and logs them in
SSO Enforcement
After enabling SSO, choose an enforcement level:
| Mode | Behavior |
|---|---|
| Optional | Members can use SSO or password |
| Required | Members must use SSO (password login disabled) |
When SSO enforcement is enabled, two-factor authentication enforcement is automatically disabled (your IdP handles authentication security).
Default Roles
Assign default roles to new SSO users:
- In SSO settings, configure Default Roles
- Select one or more roles
- New users logging in via SSO for the first time receive these roles automatically
This eliminates manual role assignment for SSO users.
Directory Sync (SCIM)
Automatically sync users from your identity provider:
- In SSO settings, click Configure Directory Sync
- You'll be redirected to the WorkOS Admin Portal
- Follow the SCIM setup instructions for your IdP
With Directory Sync enabled:
- New users in your IdP are automatically created in Flint
- Updated user info syncs automatically
- Deprovisioned users lose access immediately
Managing SSO
Once configured, the SSO settings page shows:
- Connection Status — Active, Inactive, or Validating
- Identity Provider — Which IdP is connected
- Enable/Disable Toggle — Turn SSO on or off
- Enforce SSO Toggle — Require SSO for all users
- Default Roles — Roles for new SSO users
- Directory Sync — SCIM configuration status
Reconfiguring SSO
To change your IdP configuration:
- Click Manage Connection
- You'll be redirected to the WorkOS Admin Portal
- Make your changes and save
Disconnecting SSO
To remove SSO entirely:
- Disable SSO enforcement first (if enabled)
- Click Disconnect SSO
- Confirm the action
Users will need to set passwords to continue accessing their accounts.
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| "SSO login failed" | Misconfigured connection | Check IdP configuration in WorkOS portal |
| User not provisioned | No default roles set | Configure default roles in SSO settings |
| Domain not verified | DNS record missing | Verify TXT record is properly added |
| Can't log in after disconnect | No password set | Use password reset flow |