Skip to main content

Configure SSO for your company

Enable your company's users to sign in with SSO

To enable SSO login to Fieldguide, an IT administrator will first need to add an SSO connection to Fieldguide. This typically only needs to be set up once for your company.

Once an SSO connection is added for your company, new users will need to be added to Fieldguide following the SSO user setup steps.

Before you begin​

Only the following options are available for self-service setup:

  • Microsoft Entra ID (formerly known as "Azure AD")

  • Okta

  • Custom SAML

Add an SSO connection

To enable SSO for your company, admins can follow these steps to create an SSO connection:

  1. Contact Fieldguide Support and provide the name of the user who will be setting up the SSO configuration. Our team will add the SSO configuration menu for that user in the Admin settings.

  2. Go to Admin > SSO to access your company's SSO connection settings.

  3. Click +SSO Configuration to begin the SSO setup.

  4. Select your identity provider from the dropdown (Microsoft Entra ID, Okta, or Custom SAML).

  5. Set the Configuration Display name. We recommend calling it "Entra SSO", "Okta SSO", or similar, depending on which identity provider you're using.

  6. Continue the setup by following the steps for your identity provider:

Microsoft Entra ID configuration

Follow these instructions if Entra is your SSO identity provider.

Log into the Entra admin portal and follow these steps:

  1. Go to the Single sign-on menu and choose SAML as your SSO method.

  2. Fill out the SSO setup form in Entra with the required information from Fieldguide.

    • Copy the Connection URN from Fieldguide and use this for the Identifier (Entity ID) in Entra.

    • Copy the Reply URL (also known as ACS URL, or Assertion Consumer Service URL) from Fieldguide and use this as the Reply URL in Entra.

    • Copy the Sign on URL from Fieldguide and use this as the Sign on URL in Entra.

  3. Save the configuration in Entra.

  4. Copy the Login URL from the configuration you saved in Entra and paste it into the Sign in Endpoint in Fieldguide. The Login URL can be found in Section 4 ("Set up Azure AD SAML Toolkit") of the configuration page in Entra.

  5. Download the certificate from Entra in PEM format: Go to Section 3 ("SAML Certificates") of the page and click Edit. Open the 3-dots menu and click PEM certificate download.

  6. Upload the PEM certificate to Fieldguide.

  7. If desired, enable IdP-initiated login.

  8. Click Create SSO Configuration in Fieldguide.

  9. In Entra, go to Attributes & Claims and click Edit. Click on Unique User Identifier (Name ID) under Required claim.


    Set the Name identifier format to "Email address".

  10. This completes the SSO configuration setup. Test your SSO setup to make sure it's working.

Okta configuration

Follow these instructions if Okta is your SSO identity provider.

  1. In Okta, go to Applications and create a new App Integration. Select the option "SAML 2.0". We recommend calling this "Fieldguide" or similar.

  2. Copy the Reply URL (also known as ACS URL, or Assertion Consumer Service URL) from Fieldguide and use this for the Single sign-on URL in Okta. Copy the Connection URN from Fieldguide and use this as the Audience URI in Okta. Set the Name ID format to "EmailAddress".

  3. Go to the next screen and click Finish, creating the application in Okta.

  4. Now that the application is created, go to the Sign On tab for the application in Okta. Copy the Sign on URL (under More details). Paste this into the Sign in Endpoint in Fieldguide.

  5. Next, under SAML Signing Certificates on the same page download the certificate in PEM format and upload it to Fieldguide.

  6. If desired, enable IdP-initiated login.

  7. Once the certificate is uploaded, create the connection in Fieldguide.

  8. This completes the SSO configuration setup. Test your SSO setup to make sure it's working.

Custom SAML configuration

Follow these instructions if you're using a SAML 2.0 identity provider other than Microsoft Entra ID or Okta.

In your identity provider, create a new SAML 2.0 application. Then follow these steps to connect it to Fieldguide:

  1. Copy the following values from the Copy into your identity provider section in Fieldguide and enter them in your identity provider's SAML application settings:

    • Audience URI (SP Entity ID) → Entity ID or Audience in your identity provider

    • Assertion Consumer Service URL (ACS URL) → ACS URL or Reply URL in your identity provider

    • Sign on URL → Sign on URL in your identity provider

  2. In your identity provider, set the Name ID format to Email address.

  3. Copy the sign-in endpoint URL from your identity provider and paste it into the Sign in endpoint field in Fieldguide.

  4. If desired, enable IdP-initiated login.

  5. Download the X.509 signing certificate from your identity provider and upload it to Fieldguide under X.509 Signing Certificate.

  6. Click Save Changes in Fieldguide.

  7. This completes the SSO configuration setup. Test your SSO setup to make sure it's working.

Test the SSO connection

Once the setup with your identity provider is complete, test the SSO connection to make sure it's working. First, complete your own account setup by adding yourself to the proper security group in your user identity system. Then, follow the steps below to sign into Fieldguide via SSO.

  1. Copy your SSO Login URL from Fieldguide.

  2. Sign out of Fieldguide.

  3. Use the SSO Login URL to sign into Fieldguide.

If SSO login fails, your SSO configuration might not be set up correctly. Reach out to [email protected] for help.

Once you've confirmed your SSO connection is working, you're ready to enable SSO login for your company's users.

Set up SSO login for users

Once the SSO configuration is done, you'll need to follow these steps to enable SSO login for users.

Enable SSO for existing users

If you created Fieldguide accounts for any users prior to setting up the SSO connection, follow these steps to enable SSO login for each user:

  1. Look for the user's existing account in Fieldguide under Admin > Users. Make sure their email address matches the one they have in your user identity system. If not, you should update their email in Fieldguide to match.

  2. Add the user to the proper security group in your user identity system.

  3. After this, the user can sign into Fieldguide using your company's SSO Login URL.

Enable SSO for new users

Follow these steps whenever you need to create an SSO-enabled Fieldguide account for a new user:

  1. Create the user's account in Fieldguide. Make sure their email address matches the one they have in your user identity system.

  2. An IT administrator should add the user to the proper security group in your company's user identity system.

  3. Before signing in for the first time, the user will need to verify their email by clicking the link in the invitation email sent by [email protected].

  4. After this, the user can sign into Fieldguide using your company's SSO Login URL.

The invitation email is sent automatically after the user's account is created in Fieldguide. If the user has trouble finding it in their inbox, an admin can send a new invitation by clicking Resend invite in the user's settings.


See also

See here for information on using SSO to log into Fieldguide: SSO login.

Did this answer your question?