Skip to main content
SSO is available on Enterprise plans only. Contact sales to upgrade.
Single Sign-On (SSO) allows your team members to authenticate using your organization’s identity provider (IdP), providing centralized access management and enhanced security.

Supported Providers

EngageFabric supports two SSO protocols:

SAML 2.0

Industry standard for enterprise SSO. Works with Okta, Azure AD, OneLogin, and more.

OpenID Connect

Modern OAuth 2.0-based protocol. Works with Google Workspace, Auth0, Keycloak, and more.

Setting Up SAML SSO

Step 1: Get Your Service Provider Details

First, retrieve your SAML metadata from the API:
Response:

Step 2: Configure Your Identity Provider

Add EngageFabric as a new application in your IdP:
  1. Go to Applications > Create App Integration
  2. Select SAML 2.0
  3. Enter the following settings:
    • Single Sign-On URL: {acsUrl from above}
    • Audience URI (SP Entity ID): {entityId from above}
    • Name ID Format: EmailAddress
  4. Under Attribute Statements, add:
    • emailuser.email
    • firstNameuser.firstName
    • lastNameuser.lastName
  5. Save and copy the Metadata URL or download the IdP metadata

Step 3: Configure EngageFabric

Update your SSO configuration with the IdP details:

Setting Up OIDC SSO

Step 1: Create an OAuth Application

In your identity provider, create a new OAuth/OIDC application:
  1. Go to Google Cloud Console
  2. Navigate to APIs & Services > Credentials
  3. Click Create Credentials > OAuth client ID
  4. Select Web application
  5. Add redirect URI: https://api.engagefabric.com/api/v1/auth/sso/your-org/callback
  6. Copy the Client ID and Client Secret

Step 2: Configure EngageFabric

Configuration Options

SAML-Specific Fields

OIDC-Specific Fields

Testing Your Configuration

Before enforcing SSO, test that it works correctly:
Response:
Visit the loginUrl in a browser to test the full SSO flow.

Auto-Provisioning

When autoProvision is enabled:
  1. New users are automatically created on first SSO login
  2. They’re assigned the defaultRole you specified
  3. Their name and email are populated from the IdP
  4. They don’t need a separate invitation
Auto-provisioned users count toward your team member limit. Monitor your usage to avoid exceeding plan limits.

Domain Restrictions

Use allowedDomains to restrict which email domains can authenticate:
Users with email addresses outside these domains will be denied access, even if they successfully authenticate with your IdP.

Disabling SSO

To disable SSO and revert to password authentication:
Disabling SSO will require all users to set passwords. Ensure users have password recovery options before disabling.

API Reference

Troubleshooting

Ensure you’ve copied the complete IdP certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
Check that:
  • autoProvision is set to true
  • The user’s email domain is in allowedDomains (if set)
  • You haven’t reached your plan’s team member limit
Ensure the callback URL in your IdP exactly matches: https://api.engagefabric.com/api/v1/auth/sso/{your-org-slug}/callback

Custom Domains

Configure custom domains for your API and admin console

Team Management

Manage team members and roles