Single sign-on (SSO)

Before you set up the SSO configuration for your Fundraise Up account, make sure you have:

• Access to your organization’s IdP account with a user who has the Administrator role (or equivalent).
• Access to your organization’s Fundraise Up account with a user who has the Organization Administrator role.

To set up SSO, first go to your IdP management panel.

1. Create a new SSO application. You can give it any name, for example, “Fundraise Up SSO.”
2. Configure the application with the following SSO parameters:
   • Entity ID (or Audience URL): https://dashboard.fundraiseup.com/sso/saml
   • SSO URL (or ACS URL): https://dashboard.fundraiseup.com/user/saml/consume
   • Name ID format: Select Email Address
3. The IdP will then provide parameters such as Issuer ID, Identity Provider URL, and a Certificate. You should keep these for the next step.

Log in to your Fundraise Up Dashboard and go to Settings → Security.

1. Click Configure under Single sign-on (SSO) configuration.
2. Enter the parameters provided by your IdP and click Verify. Note that after verification, the SSO status is set to Off by default. Once all steps are completed, please refer to the “Enabling and disabling SSO" section on the current page to turn it on.

This is where you enter the parameters provided by your IdPs.

To enable SSO, you must verify the domains of the user email addresses that will log in to the system using SSO.

1. On the same Security page in your Dashboard, under Single sign-on (SSO) domains, click Add domain and enter your domain name.
2. In the modal window, follow the DNS configuration instructions and click Verify.

These are the instructions for verifying domains.

Now, if you enable SSO, only users with email addresses from verified domains can log in with SSO.

Once added, domains will be listed in the Single sign-on (SSO) domains section with details such as domain name, date added, and verification status.

If you were unable to verify your domain the first time, you can complete the process later. Go to the three-dot menu next to the domain listed as Not Verified and select See details. This action will open a modal window with DNS configuration instructions. Follow these instructions, and then click Verify to complete the verification.

If you need to delete a domain verification record, you can do so by clicking the three-dot menu next to the domain and selecting Delete.

Organization Administrators can choose from three SSO enforcement options on the Security page of their Dashboard.

• Off: Single sign-on is disabled. This is the default state for every account. Users must log in to the Dashboard with a username and password.
• Optional: Users can log in with either SSO or with a username and password.
• Required: All users must log in to the Dashboard using SSO only.

Be sure to click the Save changes button at the bottom of the page when you are finished with the configuration.

SSO settings are not inherited between parent accounts and subaccounts; they can have different SSO settings, including not using SSO at all.

Each SSO session last 12 hours, after which users are automatically logged out.

Verified domains are checked automatically every Sunday. If DNS settings are missing, the domain's verification status updates to Not Verified, and users who are logged in with SSO are logged out.

When you first set your SSO enforcement to Required, all current users of your organization's account are automatically logged out and redirected to the login screen (including the Organization Administrator, who sets this up). When they enter their credentials as usual, the login form will immediately prompt them to log in using SSO.

Any new user added after SSO is set to Required will receive an invitation email with an Accept invite button. After successful authorization, an email is sent to the user informing them that they can now log in using SSO.

This is the sample email that your users will receive.

For Optional SSO, users also receive an invitation email with an Accept invite button. Clicking this will take them to the Dashboard. Users then receive a second email with their login and password, along with information that they can log in using SSO, if their email domain has been verified. If the domain is not verified, users will only receive an email with their login and password.

If SSO is enabled for your organization's account, users have two options for logging in.

• By entering an email address in the login form. When a user enters their email as the login, we check that email for SSO compatibility. If the user is eligible to log in with SSO, the password field will be hidden and the Continue with SSO button will appear.

  If SSO is set to Optional in your organization's settings, a user will also be given the option to log in with a password by clicking “Use your password instead” link.

• Direct SSO login. Users who know they can use SSO may click the “Use single sign-on (SSO) instead” link below the login form. They will then need to enter their email and click the Continue with SSO button.

Users who have access to two or more accounts have certain limitations when using SSO:

• A user can only have SSO access to one account at a time, unless the same IdP with the same Issuer ID is used across accounts. When a user logs in from the login page, the system redirects the user to the last account accessed. A user can still log in with a username and password, but only if the last account they accessed has SSO set to Off or Optional.
• Users with SSO access in one account cannot be added to another account with SSO Required/Optional enabled, unless the same IdP (with the same Issuer ID) is used in both accounts.

For accounts with SSO Required, Two-factor authentication (2FA) is not prompted, even if 2FA is required for that account. Learn more →

To check which of your team members can log in to the dashboard using SSO, navigate to Settings → Team. Users who can use SSO will be listed along with their 2FA configuration.

The authentication process that is described in this article is handled through the Fundraise Up login form, which is the recommended method for organizations using SSO. However, you can set up an SSO login directly through applications such as Auth0, Microsoft Entra ID, Okta, or any other IdP. This is not recommended due to the high security risk.

If you still want to use IdP-initiated login, you must ensure that the SAML response is signed. This can be configured in the IdP settings or in the IdP admin console. For example:

• In Auth0, go to the SAML2 settings and set signResponse to true .
• In Microsoft Entra ID, configure the response according to Microsoft’s documentation.
• In Okta, go to your application’s General settings, select “Show advanced settings” and make sure that “Response” is set to “Signed” (which is the default.)