Single sign-on (SSO)

How to set up SSO for your Fundraise Up account.

Single sign-on (SSO) is a technology that allows a user to log into multiple applications with a single username and password. This improves the user experience by reducing the need for multiple passwords and increases organizational security through centralized account management.

Fundraise Up's SSO solution uses the SAML 2.0 protocol, which means you can choose from many third-party Identity Providers (IdPs) to manage your SSO options. Some of the most popular IdPs include Okta, Auth0, Microsoft Entra ID, and others.

Prerequisites

 
Link copied

Before you set up the SSO configuration for your Fundraise Up account, make sure you have:

  • Access to your organization’s IdP account with a user who has the Administrator role (or equivalent).
  • Access to your organization’s Fundraise Up account with a user who has the Organization Administrator role.
Each account can be configured with only one IdP.

Step 1. Set up SSO in the IdP interface

 
Link copied

To set up SSO, first go to your IdP management panel.

  1. Create a new SSO application. You can give it any name, for example, “Fundraise Up SSO.”
  2. Configure the application with the following SSO parameters:
    • Entity ID (or Audience URL): https://dashboard.fundraiseup.com/sso/saml
    • SSO URL (or ACS URL): https://dashboard.fundraiseup.com/user/saml/consume
    • Name ID format: Select Email Address
  3. The IdP will then provide parameters such as Issuer ID, Identity Provider URL, and a Certificate. You should keep these for the next step.
Fundraise Up does not support auto-provisioning, which means we don’t automatically update or delete user profiles when their credentials or status in the IdP change. Users must be manually added or deleted in both the Fundraise Up account and the IdP.

Step 2. Complete SSO configuration in Fundraise Up Dashboard

 
Link copied

Log in to your Fundraise Up Dashboard and go to Settings > Security.

  1. Click Configure under Single sign-on (SSO) configuration.
  2. Enter the parameters provided by your IdP and click Verify. Note that after verification, the SSO status is set to Off by default. Once all steps are completed, please refer to the “Enabling and disabling SSO" section on the current page to turn it on.

This is where you enter the parameters provided by your IdPs.

Step 3. Verify domains

 
Link copied

To enable SSO, you must verify the domains of the user email addresses that will log in to the system using SSO.

  1. On the same Security page in your Dashboard, under Single sign-on (SSO) domains, click Add domain and enter your domain name.
  2. In the modal window, follow the DNS configuration instructions and click Verify.

These are the instructions for verifying domains.

Now, if you enable SSO, only users with email addresses from verified domains can log in with SSO.

Once added, domains will be listed in the Single sign-on (SSO) domains section with details such as domain name, date added, and verification status.

If you were unable to verify your domain the first time, you can complete the process later. Go to the three-dot menu next to the domain listed as Not Verified and select See details. This action will open a modal window with DNS configuration instructions. Follow these instructions, and then click Verify to complete the verification.

If you need to delete a domain verification record, you can do so by clicking the three-dot menu next to the domain and selecting Delete.

How to integrate Okta SSO with Fundraise Up.

Enable and disable SSO

 
Link copied

Organization Administrators can choose from three SSO enforcement options on the Security page of their Dashboard.

  • Off: Single sign-on is disabled. This is the default state for every account. Users must log in to the Dashboard with a username and password.
  • Optional: Users can log in with either SSO or with a username and password.
  • Required: All users must log in to the Dashboard using SSO only.

Be sure to click the Save changes button at the bottom of the page when you are finished with the configuration.

SSO settings are not inherited between parent accounts and subaccounts; they can have different SSO settings, including not using SSO at all.

Having trouble setting up SSO? Read our guide to common SSO setup errors.

SSO session duration

 
Link copied

Each SSO session last 12 hours, after which users are automatically logged out.

Verified domains are checked automatically every Sunday. If DNS settings are missing, the domain's verification status updates to Not Verified, and users who are logged in with SSO are logged out.

How SSO impacts your users

 
Link copied

After the initial setup

 
Link copied

When you first set your SSO enforcement to Required, all current users of your organization's account are automatically logged out and redirected to the login screen (including the Organization Administrator, who sets this up). When they enter their credentials as usual, the login form will immediately prompt them to log in using SSO.

Any new user added after SSO is set to Required will receive an invitation email with an Accept invite button. After successful authorization, an email is sent to the user informing them that they can now log in using SSO.

This is the sample email that your users will receive.

For Optional SSO, users also receive an invitation email with an Accept invite button. Clicking this will take them to the Dashboard. Users then receive a second email with their login and password, along with information that they can log in using SSO, if their email domain has been verified. If the domain is not verified, users will only receive an email with their login and password.

If you are in an SSO-initiated session and the account's SSO status changes to Off, you will be logged out of the Dashboard.

Dashboard login options

 
Link copied

If SSO is enabled for your organization's account, users have two options for logging in.

  • By entering an email address in the login form. When a user enters their email as the login, we check that email for SSO compatibility. If the user is eligible to log in with SSO, the password field will be hidden and the Continue with SSO button will appear.

    If SSO is set to Optional in your organization's settings, a user will also be given the option to log in with a password by clicking “Use your password instead” link.

  • Direct SSO login. Users who know they can use SSO may click the “Use single sign-on (SSO) instead” link below the login form. They will then need to enter their email and click the Continue with SSO button.
Only users with email addresses on verified domains can use SSO to log in. Users cannot be added to a Required SSO account with an email domain that is not verified in that account.

Users who manage multiple accounts

 
Link copied

Users who have access to two or more accounts have certain limitations when using SSO:

  • A user can only have SSO access to one account at a time, unless the same IdP with the same Issuer ID is used across accounts. When a user logs in from the login page, the system redirects the user to the last account accessed. A user can still log in with a username and password, but only if the last account they accessed has SSO set to Off or Optional.
  • Users with SSO access in one account cannot be added to another account with SSO Required/Optional enabled, unless the same IdP (with the same Issuer ID) is used in both accounts.

2FA and SSO

 
Link copied

For accounts with SSO Required, Two-factor authentication (2FA) is not prompted, even if 2FA is required for that account.

To check which of your team members can log in to the dashboard using SSO, navigate to Settings > Team. Users who can use SSO will be listed along with their 2FA configuration.

IdP-initiated login

 
Link copied

The authentication process that is described in this article is handled through the Fundraise Up login form, which is the recommended method for organizations using SSO. However, you can set up an SSO login directly through applications such as Auth0, Microsoft Entra ID, Okta, or any other IdP. This is not recommended due to the high security risk.

By letting the IdP to handle authentication, organizations open themselves up to threats such as man-in-the-middle attacks, where malicious actors intercept and manipulate authentication data. Another risk is replay attacks, where stolen credentials are reused to gain unauthorized access.

If you still want to use IdP-initiated login, you must ensure that the SAML response is signed. This can be configured in the IdP settings or in the IdP admin console. For example:

  • In Auth0, go to the SAML2 settings and set signResponse to true .
  • In Microsoft Entra ID, configure the response according to Microsoft’s documentation.
  • In Okta, go to your application’s General settings, select “Show advanced settings” and make sure that “Response” is set to “Signed” (which is the default.)

Supported features

 
Link copied
Feature Supported by Fundraise Up SSO Description
IdP-initiated SSO Yes An SSO operation that was started from the IdP Security Domain. The IdP federation server creates a federation SSO response and redirects the user to the SP with the response message and an optional operational state.
SP-initiated SSO Yes SAML authentication that is initiated by the Service Provider (SP). This is triggered when the end user tries to access a resource in the Service provider or sign in directly to the SP.
Just-In-Time provisioning No A SAML-based method of creating a user’s account the first time that they sign in.
SP-initiated SLO Yes A process where the logout is initiated by the SP. This occurs when a user signs out of the SP, which then triggers the IdP to log the user out of all connected services.
Force authentication No An administrative option that requires users to re-authenticate through their IdP when trying to access an app. Users must re-authenticate even if they have an active session.

Found a mistake? Is there a missing topic? Hard to read? Let us know

 

In this article