SSO (Single Sign-On)
Single Sign-On (SSO) is an authentication mechanism that allows a user's identity to be managed by a single, trusted identity provider through which the user can access multiple service providers. SSO is rapidly gaining popularity both for security and compliance purposes, and to improve user experience in an increasingly complex applications and services environment. When your users have multiple apps and services to navigate, SSO helps keep it safe and simple.
Files.com supports SP (Service Provider) initiated SSO flow securely and integrates with the most popular SSO providers. Always a leader in security and integration practices, we understand that our service must play well with others. Please contact us if you are looking for an IdP initiated SSO flow or looking for any other integration in this context. We are happy to help.
SSO integrations are available on Power and Premier plans. Each of our SSO-enabled plans carries different SSO capacities and options, so please review each plan to determine which best fits your needs.
Supported SSO Providers
Files.com integrates with the following SSO providers. Several SSO integrations will also support user and group provisioning as configured by the SSO provider application.
Provider | Auth + On-demand Provisioning | SCIM Provisioning |
---|---|---|
Auth0 | ✔️ | |
Box | ✔️ | |
Dropbox | ✔️ | |
✔️ | ||
Idaptiv | ✔️ | ✔️ |
Jumpcloud | ✔️ | ✔️ |
LDAP | ✔️ | ✔️ |
Microsoft Azure | ✔️ | ✔️ |
Microsoft Active Directory | ✔️ | ✔️ |
Okta | ✔️ | ✔️ |
SAML (any provider) | ✔️ | ✔️ |
Slack | ✔️ | |
OneLogin | ✔️ | ✔️ |
Enabling SSO Providers
You can add as many providers as you wish.
To add a provider, log in as a site administrator and type "SSO Providers" in the search box at the top of every page and click the matching result. Click the Add provider button.
A table of the various options will appear. Click on the logo of the provider desired and then click the Save button. The new provider will be added to the table of enabled providers. You can also disable any enabled SSO providers from this table.
Files.com offers support for both SAML and OpenID Connect (OIDC) integration with services like Auth0, Microsoft Azure, OneLogin, and Okta. This allows for the secure exchange of authentication and authorization data between an identity provider (IdP) and a service provider (SP).
Auth0, Microsoft Azure, OneLogin and Okta require additional configuration to complete the initial setup. Please refer the provider's support documentation to locate your Subdomain, Client ID and Client Secret.
Additionally, Auth0, Microsoft Azure, OneLogin and Okta support advanced provisioning options. Click on Advanced to expand the configuration settings and configure the provisioning settings.
Please note that you can not use the same SSO provider settings (for example: Application ID or Client ID, Tenant ID, Secret etc., from your SSO provider) in more than one Files.com site.
Using Multiple SSO Providers
It is possible to use more than one Single Sign On (SSO) provider on your site. Each user will be associated with one SSO provider (or no SSO provider). To provide the same person access via more than one SSO provider, you will need to create two Users on Files.com for that person.
Using Multiple Instances of Same SSO Provider
You can also connect multiple instances of the same IdP or SSO provider on your site. For example, you can create one instance in your IdP for your internal users to authenticate using SSO and another instance in your IdP for your external users to authenticate. You can label each SSO provider using Display Name field in the Add Provider screen to identify the SSO instance and provider wherever it is displayed, including the login page and when viewing the authentication method of the corresponding users.
SCIM Provisioning
Files.com supports SCIM provisioning and it is designed to integrate seamlessly with popular identity providers with SAML based integration such as Okta, Microsoft Entra ID, JumpCloud, and OneLogin. You can even use SCIM provisioning with SAML (any provider) or Auth0 with SAML based integration. Organizations can configure SCIM provisioning by establishing a SAML based connection between their identity provider and Files.com. Once the integration is set up, user provisioning and management can be effectively streamlined. Visit the SCIM Provisioning page for more details.
Assigning User SSO Methods
After an SSO provider has been enabled for a site, site administrators grant SSO access on a per-user basis. Granting this access can be performed when creating a new user or by modifying an existing user's settings. Please note that each unique user can have only one SSO provider assigned.
To assign an SSO method for an existing user, navigate to Settings -> Users and click the username of the user. Next, click Authentication Method and select the desired SSO provider from the dropdown list. Finally, click Save to apply the setting.
Files.com also allows you to Bulk Import or Bulk Create users with any site-enabled SSO providers. To do this, fill the authentication_method column with the name of the SSO provider.
Files.com allows for you to have a mix of SSO-authenticated and Files.com password-authenticated users on your site.
For example, you could have your internal users authenticate via an SSO provider, and have your external vendors/partners authenticate with Files.com passwords.
To do this simply repeat the navigation steps mentioned prior for the user in question, and select your preferred Authentication Method for that user.
Site administrators can change or remove the user's ability to authenticate via SSO at any time by selecting Password from the dropdown list.
Note that, when selecting a new SSO provider for authentication, first ensure that the corresponding user's username is already created in the IdP to avoid any authentication issues. We strongly recommend to have at least one site administrator who is configured to have the password option as the authentication method instead of assigning all site administrators to use SSO as an authentication method. This password authentication site administrator account will help you to avoid getting your Files.com site locked out, particularly in cases when you have any issues with your IdP or SSO integration.
Logging in With SSO
Once you have enabled an SSO provider, a Sign in with... button for that provider will appear on your site's login page. Users are able to click the appropriate service button to be authenticated via the external service and redirected to their Files.com account.
When logging into Files.com using the SSO provider for the first time, users will be prompted to authorize the connection of their provider account with Files.com.
If a user does not have a current session with the SSO provider, they will be prompted to log in to that provider's service before the Files.com authentication is verified.
Disabling an SSO Integration
Disabling an SSO provider will revoke access for the user accounts that are configured to authenticate using that SSO provider. The login page will also not show the login option for that provider.
To disable an SSO provider, type "SSO Providers" in the search box at the top of every page, and then click the matching result. Locate your provider in the list of configured SSO Providers, edit the SSO provider, and click the Enabled option to toggle the selection to its disabled state.
To re-enable a disabled SSO provider, edit the SSO provider, and click the Enabled option to toggle the selection back to its enabled state.
To remove an SSO provider entirely, site administrators must first modify all user accounts that are currently set to use that SSO provider, and configure them to use another authentication method or provider. You can quickly identify any users set to the provider by looking at the Authentication Method column of the user list. Once there are no users configured to authenticate with the provider, you will be able to remove it.
Switching SSO Providers
Sometimes it might be required to switch the SSO provider because of various reasons your business may have.
To switch your current SSO provider for Files.com to new SSO provider, make sure that the new identity provider of your choice is supported before starting your migration. Files.com integrates with most popular SSO and you can check the supported providers list.
Once you pick the new identity provider, follow the corresponding Files.com SSO integration documentation and enable the new SSO provider.
In general, if you face any challenges in migrating the configuration or users from Files.com to new SSO provider, please refer to the provider's support documentation.
For a SAML-based IdP, work with the SSO IdP to check if the issuer + audience + username combination can be reused or not.
For SCIM, make sure the mappings and provisioning are configured properly with the new SSO provider to avoid any duplicate or disabled users in Files.com or in your user directory.
Once the new provider is setup and ready to use, you can edit an individual user's settings to set their Authentication method to the new provider.
Once all users are updated, you can disable the old SSO provider. With this, all users can now start using your new SSO provider to login to Files.com.
Using SSO with FTP, SFTP, or WebDAV
Single sign-on authentication can only be used with browser-based sessions, or with the Files.com Desktop App.
If the user requires access to FTP/SFTP/WebDAV connections, the authentication method must be set to Password or Active Directory/LDAP.
An alternative approach is for the user to use SSO and then additionally add an SFTP key or an API Key to their user account.
A site administrator can manage the SFTP keys associated with various users. Type "SFTP/SSH Keys" in the search box at the top of every page and then click the matching result.
Users can add their own keys in the web interface by going to My account in the top right menu.
Using SSO with the Files.com Desktop App
We have designed the Files.com Desktop app to allow connecting with SSO user accounts. Follow the instructions to connect your account, and on the login screen click the SSO provider button assigned for that user.
Using SSO with the Files.com Mobile App
Files.com supports Single Sign-On (SSO) login with our iOS and Android mobile applications. To log in using SSO, select the appropriate SSO provider on the login screen and proceed.
Automating The Single Sign On Progress When Following a Link
If you want to have the Files.com web application automatically send your users to a SSO Provider rather than displaying the login page, build a link on your external site that links to a URL on your files.com site with the URL parameter ?use_sso=1
appended.
For example, send someone a link to: https://mysite.files.com/files/MyFolder/?use_sso=1
This solution only works if you have exactly one SSO provider.