Single Sign On (SSO) for 10000ft

This Help Article Appears in the Following Learning Tracks

Learning Track

This Help Article appears in the System Administration in 10,000ft learning track. Get the most out of this learning track by starting at the beginning.

Using Single Sign-On (SSO) for password management and user provisioning allows greater company control of access to 10,000ft, ensuring the right people are securely logging into your account.

10,000ft provides SSO using the SAML 2.0 protocol, which works with providers such as ADFS, Azure AD, OKTA, and Google. We currently only support the Web Browser SSO profile. We do not support IDP Initiated Sign-on.

https://en.wikipedia.org/wiki/SAML_2.0

Setup

Retrieve the 10,000ft SSO configuration information from: https://app.10000ft.com/saml/metadata
- SAML Login URL: https://app.10000ft.com/saml/acs
- SAML Logout URL: https://app.10000ft.com/saml/logout
Setup 10,000ft as an app (relying party) in your SSO system. We support Azure Active Directory Federation Service 2.0, OKTA, Google, and many other SSO services that implement SAML 2.0.
Click 'Setup SSO' in the SSO section of your Account Settings
Input your SAML 2.0 signing certificate and URLs (10,000ft requires your SAML 2.0 signing certificate to be Base64 encoded. RAW format is not supported).
Determine if you wish to turn on auto-provisioning*
Click 'Save'

*10,000ft auto-provisioning does not automatically provision new user accounts. New user accounts still need to be created through the application. What auto-provisioning does is bypass the user invitation process. When it is enabled, new users do not need to accept an invitation to join the application. They simply need to visit the sign-on page, enter their email address, and they will be recognized as a user in the system and given the option to sign into your company account.

Required Attributes

For successful sign-in authentication, a NameID claim with the format of email address must be passed to 10,000ft.

Example: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"

After Setup

Once a user has logged In with SSO, they will no longer be allowed to log In with a username and password, and their profile email address will be locked In the application. In order to update their login email, please contact us for assistance.

If you ever need to make any changes to your SSO settings in the application, do so with caution and ensure that you have at least one administrative user within your organization that has not logged In with SSO and still has a username/password login. This will allow you to log In with that profile should you need to revert any changes. In order to log in with username and password, click on the link below the green sign-in box.

Green sign-in box

Some customers choose to have us assist them when changes need to be made. To schedule a safe settings update, contact us here.