Skip to main content
Contact Support

Setting up Single Sign-On (SSO) in Streamline

Ryan J.
Updated

The following is a guide for Admins who want to configure Single Sign-On (SSO) for their Intellistack Streamline account to manage user authentication securely.

Note: Admin and Standard users can both sign in using SSO once it’s been configured. Only Admin users can set up and manage SSO settings.

 

Before You Begin

Note: The examples and screenshots in this guide show an Okta configuration, but the steps apply to most identity providers that use SAML 2.0 or OpenID Connect (OIDC). Depending on your provider, your setup process may look slightly different. Streamline includes embedded documentation in each step of the SSO setup flow to guide you through provider-specific settings.

Before you start setting up SSO, make sure you have the following in place:

  • Admin access to your Streamline organization.
  • Access to your Identity Provider (IdP), such as Okta, Microsoft Entra ID (formerly Azure AD), or another SAML/OpenID provider.
  • A domain you can verify using DNS (for domain claiming).
  • Permission to create or modify app integrations in your IdP.

Tip: If you’re working with your IT or security team, confirm which protocol (SAML or OpenID Connect) your organization uses before you begin.

 

How SSO Works

Here’s a simple overview of how Single Sign-On connects your users, Streamline, and your identity provider:

  • Identity Provider (IdP) authenticates user credentials (for example, Okta or Azure AD).
  • Streamline verifies the connection and applies permissions.
  • User Login grants access to Streamline using existing organization credentials.

This setup provides secure, centralized access management without requiring multiple passwords.

 

Accessing the SSO Setup

  1. Click the gear icon (⚙️) in the left sidebar to open your Administration settings.
  2. Select Security.
  3. Under Security, choose Single Sign-On (SSO) Setup.
  4. The SSO configuration suite will open in a new window.

Tip: The SSO setup experience includes guided steps, a modern interface, and the ability to switch to dark mode on the top right for a smoother setup process.

 

Identity Provider (IdP) Selection

The first step in the configuration process is selecting an identity provider.

When prompted, you’ll see a list of supported IdPs that can be used for authentication.

You can:

  • Choose from the list of supported IdP configuration guides (Expand the list by selecting Show More to see additional providers).
    • Google Workspace (SAML)
    • OKTA (SAML, OIDC)
    • Azure Entra ID (SAML, OIDC)
    • Microsoft AD FS (SAML)
    • PingFederate (SAML)
    • PingOne (SAML)
    • Onelogin (SAML)
    • Keycloak (SAML)
    • JumpCloud (SAML)
    • Auth0 (SAML, OIDC)
    • ClassLink (SAML)
    • Cyberark (SAML)
    • Descope (SAML)
    • Duo (SAML)
    • LastPass (SAML)
    • miniOrange (SAML)
    • Salesforce (SAML)
  • Manually configure either SAML 2.0 or OpenID Connect (OIDC) if your provider isn’t listed.

Note: If your selected provider supports both SAML and OIDC, Streamline will display both options so you can choose the appropriate protocol for your organization.

 

Service Provider Information

After selecting a provider, Streamline automatically displays the tenant-specific data you’ll need to configure in your identity provider (IdP).

This includes:

  • Assertion Consumer Service (ACS) URL – also labeled Single Sign-On URL in many IdPs such as Okta. This is the endpoint where authentication responses are sent after a user signs in.
  • Service Provider (SP) Entity ID – also labeled Audience URI (SP Entity ID) in Okta. This value uniquely identifies your Streamline tenant as the SAML service provider.
  • Optional metadata endpoints or files for IdPs that support direct metadata import.

Copy these values from Streamline into the corresponding fields in your IdP’s configuration.

Field names may differ slightly between providers, but the required information is the same.

 

Mapping Attributes (User and Group)

Once the application connection is established, Streamline guides you through User and Group Attribute Mapping.

This step ensures that the correct user information and roles are passed from your IdP into Streamline during login.

You can map the following user attributes:

  • Email – the user’s unique identifier
  • Display Name – how the name appears in Streamline
  • First Name / Last Name – for profile identification
  • Groups or Roles – used to determine user permissions

Streamline automatically prepopulates recommended attribute names based on the selected IdP. These default mappings make setup faster and reduce manual input for your IT or tenant administrator.

 

Important: Map Login ID to Email

When configuring SSO, the Login ID must map to the user's email address. This identifier is how authenticated users are matched to accounts in your system. If configured incorrectly, users may be unable to log in or create duplicate accounts. Always use email as the Login ID for consistency, uniqueness, and reliability.

SAML Configuration

In SAML, the NameID attribute is used as the Login ID. Your Identity Provider must send the user's email address as the NameID value (regardless of NameID format). Most IdPs like Okta already send email by default. Verify in your IdP's SAML application settings that NameID is mapped to the user's email attribute (e.g., user.email, mail, or emailAddress).

Common issue: If your IdP sends a user ID or UUID instead of email, update the NameID mapping in your IdP settings to point to the email field.

OIDC Configuration

In OIDC, the default sub claim (typically a random identifier) is used as the Login ID. You must change this to use the email claim:

  1. In your application, navigate to Settings → Security → SSO Setup
  2. Change Login ID Claim from sub to email
  3. Ensure your IdP includes the email scope in authorization requests

Common issue: If the email claim is missing from tokens, add the email scope to your OIDC provider configuration.

 

Identity Provider Information

The Identity Provider Information section is where you provide your IdP’s configuration details to complete the connection between your IdP and Streamline.

You’ll need to supply one of the following:

  • A Metadata URL, or
  • Manual configuration details such as:
    • Single Sign-On (SSO) URL
    • Entity ID
    • Certificate fingerprint or file

Once entered, Streamline automatically validates your metadata. When verification succeeds, your IdP connection becomes active within the SSO Setup Suite.

 

Assign Users and Groups

After connecting your IdP, you’ll be prompted to assign users and groups within your identity provider’s management console.

This step defines who can authenticate with Streamline and ensures that appropriate permissions are applied during login.

Assigning users through groups is a mandatory step to ensure that users are assigned roles appropriately when logging in to Streamline 

Ensure that you have a group for each role.

Important Notes: 

  • While it’s possible to assign a user to multiple or no groups during IdP configuration, Streamline does not support this.
  • If multiple roles are assigned to a user, Streamline will respect only the first role.
  • If no roles are assigned to a user, the user will receive an error when trying to log in.

 

SSO Domains (Claiming and Verification)

Within the SSO Domains step, administrators can configure their organization’s SSO company domain.

This domain determines how users are routed during the SSO login process—Streamline automatically redirects users to the correct tenant based on the domain in their email address.

If Force Domain Verification is enabled in the SSO Setup Suite, domain ownership must first be verified through a DNS TXT record before authentication can be used.

To verify your domain:

  1. Access your DNS provider’s control panel.
  2. Locate your domain’s configuration or DNS management section.
  3. Add a new TXT record with the following information:
    • Type: TXT
    • Host: Provided in Streamline’s SSO setup instructions
    • Value: The verification string shown in Streamline
  4. Save the record.
  5. Once Streamline detects the TXT record, the domain will be marked as Verified.

Verification typically completes within one minute for new records but may take longer for updates to existing DNS entries.

Tip: If you don’t see the domain verification prompt, make sure all prior SSO setup steps have been completed.

Once verified, your domain will appear as Claimed, and users will automatically be redirected to your tenant during sign-in.

 

Testing the SSO Configuration

After your IdP configuration is complete, test the setup to confirm that authentication is functioning as expected.

Testing can be performed directly from Streamline by clicking Test Connection.

During testing:

  1. Streamline will redirect you to your IdP for authentication.
  2. After successful sign-in, you’ll be redirected back to Streamline.
  3. The test results will display the SAML or OIDC assertions returned from your IdP.
  4. You’ll also see the user profile and assigned roles generated from those attributes, allowing you to verify that user and group mappings are working correctly.
  5. Confirm that users are redirected based on their email domain, if applicable.

You can repeat the test as needed until all user attributes and domain redirections function as expected.

.

Enforcing Single Sign-On

Once everything looks correct, enforce SSO for your organization:

  1. Go to Settings → Security → SSO.
  2. Toggle Require Login via SSO ON.

When enabled:

  • All users on your organization, regardless of email domain, must use SSO to log in.
  • Logging in via password is not allowed

 

Assigning “Break glass in case of emergency” users

Streamline allows specific admins to be set as “Break glass in case of emergency” users who have the ability to log in via password even when SSO is enforced. This is useful in situations where an issue occurs with an SSO provider and an Admin needs to bypass SSO to log in to Streamline to troubleshoot issues or to un-enforce SSO for a short time.

To set a “Break glass in case of emergency” click the edit button next to Force SSO Exclusions and enter the email address(es) you wish to add (comma separated)

 

Adding and Managing Users

When SSO is not enforced, new users can be invited to Streamline via the typical fashion. Or the user can be added to a group within your IdP that has access to the application, and on next login they will automatically be provisioned as a user on your Streamline org at the role enforced by your IdP settings.

When SSO is enforced:

  • New users must first be added to your identity provider.
  • Assign them to the Streamline app or relevant group.
  • Streamline automatically provisions their accounts with the correct role when they log in.

Note: Invitations from Streamline are disabled when SSO is enforced. All new users must be created in your identity provider.

 

Troubleshooting

If users experience login issues:

  • Verify their email matches a claimed domain.
  • Make sure they’re assigned to the Streamline app in your IdP.
  • Check that attribute and group mappings are correct.
  • Double-check that both metadata URLs are valid.

Tip: If your identity provider enforces multi-factor authentication (MFA), enable 2FA bypass in Streamline to prevent users from being prompted twice.

 

Security Reminder

Important: If you disable SSO or switch identity providers, make sure your domains remain verified and your role mappings are updated.

This helps prevent login interruptions and ensures users keep the correct access permissions.

For maximum security, always review domain verification and group mappings after any configuration changes.

 

Common Questions

Can I set up multiple SSO providers?

Streamline currently supports one primary SSO provider per organization. You can switch providers if needed, but only one may be active at a time.

Do I need to re-verify domains if I change identity providers?

No. Once your domain is claimed in Streamline, it remains verified. However, you’ll still need to connect and validate metadata for the new provider.

What happens to existing users when SSO is enforced?

Existing users with a matching claimed domain will automatically begin signing in through your identity provider. 

Can I disable SSO after enabling it?

Yes, but we recommend doing so only for troubleshooting. Users will temporarily regain password-based login if SSO is disabled.

 

Closing Notes

Once SSO is configured and tested, your users can log in securely using their existing organization credentials, and you can manage all access from your identity provider.

To modify, test, or update your SSO settings at any time, go to Settings → Security → Single Sign-On (SSO) for full control over your provider, domain settings, and login policies.

Next step: Consider enabling Multi-Factor Authentication (MFA) for an additional layer of protection across your organization.

Related articles

Comments

0 comments

Article is closed for comments.