SSO (Single Sign-On)
Single Sign-On (SSO) lets your users log in to Files.com with the same credentials they use for the rest of your organization. Instead of managing a separate Files.com password, each user authenticates through your identity provider (IdP). Files.com trusts that authentication and grants access.
This keeps credential management centralized. Password policies, MFA requirements, and access controls stay in one place. When someone leaves your organization and you disable their IdP account, their Files.com access is revoked at the same time.
SSO integrations are available on Power and Enterprise plans. Files.com supports both SP-initiated and IdP-initiated SSO flow.
Supported SSO Providers
Files.com integrates with the following SSO providers. Several integrations also support user and group provisioning.
| Provider | Auth + On-demand Provisioning | SCIM Provisioning |
|---|---|---|
| Auth0 | ✔️ | |
| Box | ✔️ | |
| Dropbox | ✔️ | |
| Duo | ✔️ | ✔️ |
| ✔️ | ||
| JumpCloud | ✔️ | ✔️ |
| LDAP / Microsoft Active Directory | ✔️ | ✔️ |
| Microsoft Entra ID | ✔️ | ✔️ |
| Okta | ✔️ | ✔️ |
| SAML (any provider) | ✔️ | ✔️ |
| Slack | ✔️ | |
| OneLogin | ✔️ | ✔️ |
Enabling SSO Providers
You can add as many SSO providers as you want. Files.com supports both SAML and OpenID Connect (OIDC). SAML is the recommended protocol for most integrations. It supports automated provisioning and covers more use cases than OIDC.
To add a provider, go to SSO Providers in site settings, select the provider type, and complete the connection form. Each provider page linked in the table above has step-by-step instructions.
You cannot use the same SSO provider settings (for example, Application ID, Client ID, Tenant ID, or Secret) across more than one Files.com site.
Using Multiple SSO Providers
You can enable more than one SSO provider on a site. Each user belongs to one provider. To give one person access through two providers, create two user accounts for them.
Multiple Instances of the Same Provider
You can configure multiple instances of the same identity provider using SAML. This supports separate authentication setups for different teams or business units within an organization.
For SSO providers Files.com supports via OAuth, only one OAuth instance per provider is allowed per site. Multiple OAuth instances of the same provider conflict with each other. When you need additional instances, configure them with SAML.
Use the Display Name field in Add SSO Provider to identify each instance on the login page and in user authentication details.
If you need separate Files.com applications for different teams, departments, subsidiaries, brands, or projects, Child Sites are the better fit. Each child site runs on its own subdomain with independent content and settings while remaining associated with the primary account. Child sites simplify user management, including provisioning and deprovisioning, by keeping authentication and site settings separate for each group.
Automated Provisioning
Files.com supports automated user provisioning through SCIM provisioning and JIT (Just-in-Time) provisioning.
SCIM provisioning is the recommended approach for automated user lifecycle management. It continuously synchronizes users and groups between your identity provider and Files.com, handling user creation, attribute updates, group assignments, and account deactivation.
You configure SCIM provisioning by establishing a SAML-based connection between your identity provider and Files.com. Once you set up the integration, user provisioning and lifecycle management run through your identity provider.
JIT provisioning is simpler: Files.com creates user accounts the first time someone signs in through SSO. It requires minimal setup but does not handle ongoing user lifecycle management.
See Automated Provisioning for setup details.
Assigning User SSO Methods
Once you enable an SSO provider, Site Administrators assign it to users individually, either when creating a new user or by editing an existing user's Authentication Method. Each user can have only one SSO provider assigned.
To assign SSO to an existing user, update the Authentication Method in the user's details and select the SSO provider.
Files.com also supports Bulk Import or Bulk Create for users with any site-enabled SSO providers. Fill the authentication_method column with the name of the SSO provider.
You can mix SSO-authenticated and password-authenticated users on the same site. For example, internal users can authenticate through an SSO provider while external vendors and partners use Files.com passwords.
Site Administrators can change or remove a user's SSO assignment at any time by selecting Password from the Authentication Method dropdown.
Keep at least one Site Administrator configured with password authentication. A password-authenticated administrator prevents you from being locked out if your identity provider is unavailable.
When manually switching a user's SSO provider, confirm the user's username matches what the new provider will send before making the change. If the username does not correspond to the new provider, Files.com locks the account with no option for the user to reset their own password. The username also stays locked until a Site Administrator changes the authentication method back to a non-SSO method.
Logging in With SSO
After you enable an SSO provider, a Sign in with... button for that provider appears on your site's login page. Users click it to authenticate through the external provider and Files.com redirects them to their account.
On first login through an SSO provider, users must authorize the connection. If they don't have an active session with the provider, they must log in there first.
Hiding an SSO Provider From the Login Page
Site Administrators can hide a provider's Sign in with... button on a per-provider basis. Hiding the button does not disable the provider. Users can still authenticate through the provider's own app panel or any other entry point that initiates the SSO flow. This is useful when SSO applies to a small subset of users and you want to avoid confusion for others on the login page.
Monitoring SSO Events
Track SSO login attempts and LDAP sync and login events through Event Channels. Subscribe to SAML Login, LDAP Login, or LDAP Sync events and route them to a SIEM, webhook, Slack, or other target to monitor authentication activity in real time.
History Logs record authentication and login activity and are useful for investigating access issues. For provisioning activity, SCIM Logs show what was created, updated, or deactivated and when.
Admin email preferences cover LDAP sync failures only. For SAML login failures and LDAP login failures, set up subscriptions in Event Channels.
Disabling an SSO Integration
Disabling an SSO provider revokes access for all users configured to authenticate through it. The login page stops showing the provider's login option.
To disable a provider, edit it in SSO Providers and toggle Enabled off.
To remove a provider entirely, first reassign all users configured to use it to another authentication method. You can identify them by the Authentication Method column in the user list. Once you have reassigned all users, you can remove the provider.
Switching SSO Providers
Do not disable the old provider before the new one is fully configured and tested. Users assigned to the old provider lose access the moment it is disabled, and they cannot log in until they are reassigned.
Confirm the new identity provider is supported and follow its integration documentation to enable it on your site.
For a SAML-based provider, confirm with the provider whether the issuer, audience, and username combination can be reused before cutover.
For SCIM, configure the mappings and provisioning with the new provider before cutover. Cutting over without this in place can result in duplicate or disabled users in Files.com.
Once the new provider is configured, update each user's Authentication Method to the new provider. Once all users are updated, disable the old provider.
SSO With Parent and Child Sites
Each site's SSO providers apply only to users defined on that site.
A user who belongs to a parent site authenticates through the SSO provider configured on the parent site, even when their access is limited to a child site's paths. You do not need to configure the same provider on child sites.
Configure SSO providers only on the site where your users are defined.
SSO With FTP, SFTP, or WebDAV
SSO authentication works only with browser-based sessions and the Files.com Desktop App. FTP, SFTP, and WebDAV connections require password or Active Directory/LDAP authentication.
Users who need both SSO and protocol access can authenticate with SSO and separately add an SFTP key or API key to their account. Users can add their own keys from My account in the top-right menu.
SSO With the Files.com Desktop and Mobile Apps
The Files.com Desktop App and iOS and Android mobile apps both support SSO login. Authenticate using the SSO provider assigned to your account.
Automating The Single Sign On Progress When Following a Link
To send users directly to your SSO provider instead of showing the Files.com login page, append ?use_sso=1 to any Files.com URL.
For example: https://mysite.files.com/files/MyFolder/?use_sso=1
This works only when exactly one SSO provider is configured on the site.