Skip to main content

Search

Hi, how can we help?

    Enterprise Single Sign-On (SSO) Setup Process

    Olivya
    • Updated

    In this Article:

    Enterprise Single Sign-On (SSO) allows your organization to use your existing Identity Provider (IdP) to manage authentication for Later. This ensures secure, streamlined access for your team using their corporate credentials, eliminating the need for separate usernames and passwords.

    Once SSO is set up, employees signing in with a corporate email (for example, user@yourcompany.com) will be automatically redirected to authenticate via your company’s IdP. This article outlines the process of setting up SSO, which requires collaboration between Later and your IT team.

    Supported Identity Providers (IdPs)

    Later supports enterprise SSO with the following IdPs:

    • Okta
    • Microsoft Azure AD
    • Google Workspace
    • AWS Cognito
    • Auth0
    • OneLogin
    • PingOne
    • JumpCloud
    • Duo

    We support both SAML 2.0 and OIDC (OpenID Connect) authentication protocols.

    SSO Setup Process

    Enabling SSO for your organization includes the following steps:

    Schedule a Call With Later

    We’ll schedule a call with your IT team via shared Google Calendar to guide them through the process. If you haven’t already requested SSO set up, you can contact your Account Manager to start the process.

    Identify Your Identity Provider

    Let us know which IdP you are using from the list above. If your IdP isn’t listed, please let us know—our team may be able to support additional providers.

    Configure Your IdP

    Your IT team will need to set up an application in your IdP to integrate with Later. The setup process will depend on whether your IdP uses SAML 2.0 or OIDC:

    For SAML 2.0 IdPs:

    • Your IT team will need to enter the following information in your IdP’s SAML configuration:
      • Single Sign-on (SSO) URL: [provided during setup]
      • SP Entity ID (Audience URI): [provided during setup]
      • NameID Format: EmailAddress (recommended)
      • Attribute Mapping: Ensure that email, username, firstName, and lastName are passed in the SAML assertion.
    • Your IT team must provide us with:
      • The IdP Entity ID
      • The SAML Metadata URL or certificate

    For OIDC IdPs:

    • Your IT team will need to enter the following information in your IdP’s OIDC configuration:
      • Login Redirect URI: [provided during setup]
    • Your IT team will need to provide:
      • Configuration URL (aka “Well-Known” Configuration) or Configuration File
        • If neither of these are available, your Authorization URL and Token URL
      • Client ID & Client Secret (generated within the IdP)

    Configure SSO in Later

    We will use Keycloak as our identity broker to integrate your IdP. Our team will configure your IdP within our system using Keycloak’s Home Realm Discovery method.

    This means that users entering an email matching your company’s domain (for example, user@yourcompany.com) will be automatically redirected to your IdP for authentication.

    Testing & Go-Live

    Once configured, your team will test SSO authentication with a few users. If successful, we’ll enable SSO for your entire organization.

    Once enabled, any users logging in with your company domain will be automatically redirected to sign in with your IdP.

    How It Works

    Once the above steps are complete, the process works as follows:

    1. A user enters their email (user@yourcompany.com)
    2. Keycloak detects the domain (yourcompany.com) and checks if an associated IdP is configured
    3. If found, the user is redirected to authenticate via your IdP
    4. Upon successful authentication, the user is granted access to Later

    Technical Details for IT Teams

    The following configuration is required to set up Enterprise SSO:

    • We will create a Keycloak Organization for your company
    • Your corporate email domain (for example, yourcompany.com) must be added to this organization
    • When a user successfully logs in via SSO, a Keycloak user profile will be automatically created for them with mapped attributes

    Frequently Asked Questions

    What happens to existing users when SSO is enabled?

    Users with existing accounts will still be able to log in, but they will be redirected to SSO instead of using a password. If an email matches an existing account, it will be linked automatically upon successful authentication.

    Can we require SSO for all users?

    Yes, we will enforce SSO-only login, which prevents users from signing in with an email and password if they are logging in with a company-owned email domain. 

    What if an external contractor or partner needs access but doesn’t have an account in our IdP?

    If someone outside of your company (that is, without a company owned email domain) needs access to your account, you can manually invite them as a user through your Later account settings and assign them non-SSO login credentials if necessary.

    What if we use multiple IdPs?

    We support multi-IdP setups via Keycloak. Please inform us if different teams within your company use different IdPs.

    Does Later support SCIM or JIT for automated user provisioning?

    At this time, Later doesn’t support SCIM (System for Cross-domain Identity Management) for automated user provisioning and deprovisioning or JIT (Just in Time) provisioning where user accounts are created upon first log in. However, user accounts, roles, and permissions can be created and managed manually within eac Later app.

    Does Later support IdP-initiated SSO?

    At this time, Later doesn’t support IdP-initiated SSO to allow users to start authentication directly from their IdP’s dashboard. Currently, we only support SP-initiated SSO (Service Provider-initiated login). This means users must start the login process from the Later sign-in page where they enter their email. If SSO is enabled for their domain, they will be redirected to their IdP for authentication.

    Next Steps

    If you’re ready to set up SSO for your organization, contact your Account Manager to get started. Our team will schedule a call with your IT department via calendar link and provide the necessary configuration details.

    For any technical questions, feel free to reach out to our Support Team at support@later.com.

    Why is a call with our team required?

    Setting up SSO involves both technical configuration and security alignment, which is why we schedule a call with your IT team. This ensures a smooth, secure, and properly integrated setup.

    Key Reasons for the Call

    1. Custom Configuration for Your IdP
      • Every organization’s IdP (Identity Provider) is configured differently, and some settings may require custom adjustments
    2. Ensuring Domain-Based Routing 
      • We need to validate and register your corporate domain to ensure employees are automatically redirected to your IdP
    3. Security & Compliance Checks
      • Your IT team may have specific security policies (for example, enforcing MFA, certificate validation, or session timeouts) that need to be accounted for
      • We discuss SSO enforcement options; that is,whether all users must use SSO or if some can log in manually
    4. Troubleshooting & Testing in Real Time
      • Misconfigurations (for example, incorrect entity IDs and certificate mismatches) can prevent successful authentication
      • A live call allows us to test login flows, debug any issues, and ensure a seamless experience before rolling it out to all users
    Can’t find your answer?Contact Us
    Return to top
    Privacy Policy Terms of Use