FloQast integrates with any Identity Provider (IdP) that supports SAML 2.0 authentication. If you use any of the named providers below and plan to move to another, FloQast has an enterprise application that you can install directly within your IdP to pre-populate many of the attribute mappings and URLs. This also applies to instances where users are moving to a new tenant within the same IdP.
- Okta
- Microsoft Entra ID
- OneLogin
- Google SSO
- Salesforce SSO
- Custom SSO: Any other IdP that supports SAML 2.0
When your team is ready, here are some steps to get started:
- Download and review the appropriate SSO Setup Guide for the new IdP.
- Install/configure the FloQast application within your IdP.
- Assign your users to FloQast within your IdP. If you need a list of active FloQast users, please let us know and we can provide you with the full list.
- Export a new Federation Metadata XML file that includes the new certificate only.
-
Contact support@floqast.com and let us know that you are interested in migrating to a different SSO provider. Please also provide the following information in your message.
- The new Federated Metadata XML file. A secure link can be provided upon request.
- A date and time when you would like the cutover to occur. Be sure to include your working time zone.
- A preference between performing the cutover offline outside of working hours or together over a live call.
- Once we upload the XML into our database, the IdP and certificate are updated immediately. Users can then test SSO to confirm.
FAQ about SSO Migrations:
Q: Does FloQast support multiple certificates at once?
A: FloQast can apply one active certificate at a time. In the event that an XML file has more than one active certificate in it, FloQast will grab the first certificate listed, which may not be the correct one. Our recommendation is to produce an XML file that includes only the new certificate within it and to activate the new certificate before the old one expires, to prevent any service disruption for users once it is applied.
Q: Can I test logging in with SSO for just one user before deploying to my entire team?
A: No. Since FloQast only supports one active certificate at a time, testing with an individual user disables SSO for all other users since they were previously configured using the old certificate. It would be best to schedule the IdP switch during a period that is least impactful for most.
Q: Does FloQast offer Just-In-Time provisioning/de-provisioning?
A: No. FloQast does not offer JIT provisioning. This is because there are several unique permissions within FloQast (User Role, Entity Access) which must be configured directly within the FloQast application. A user must be invited to FloQast with their email address AND be assigned to the FloQast enterprise application within your SSO directory. Users can be deactivated in FloQast, which would immediately revoke their ability to sign into FloQast. Users could also be deactivated/have access revoked in your SSO directory, which would immediately revoke their ability to sign into FloQast.
Q: Will users be logged out of FloQast once the updated certificate is applied?
A: Users will remain logged into FloQast via their active session token. Per usual, the application may eventually log the user out from inactivity or the user will log out manually. At which point a new SSO authenticated login will occur using the updated certificate.