Single sign-on allows you to consolidate user accounts for multiple online services using a single identity provider. SSO is valuable for administrators in that user administration may be done in one location.
When you connect your CA Flowdock organization with a supported SSO provider, users will be able to create a new CA Flowdock account and log in to CA Flowdock using their SSO credentials. Administrators can control whether users must use SSO to log in, or whether they may also have a separate password for CA Flowdock. In addition to provisioning, CA Flowdock SSO supports deprovisioning. Access to your CA Flowdock organization is removed when a user is removed in your SSO provider.
When a user tries to log in at www.flowdock.com with an SSO-enabled account, they are redirected to your SSO provider in order to log in. Similarly, when a user tries to log in using one of CA Flowdock’s apps, they are directed to the mobile website of your SSO provider.
CA Flowdock supports SSO providers that use the following technologies:
- SAML 2.0 for authentication
- SCIM 1.1 for deprovisioning
CA Flowdock has been verified to work with Okta, OneLogin, and Microsoft Active Directory. If you are unsure whether your SSO provider is supported, visit our community page for support.
To get started, visit our community page for support. We will send you the configuration details needed to set up CA Flowdock in your SSO service. You will then be able to generate the required configuration details back to us.
Once enabled, existing users can link their CA Flowdock account with their SSO identity using the user account migration page. This page displays to users when they log in. A link to the page is also on your organization’s users list. The users list displays which users have linked their account to their SSO identity. The CA Flowdock user account for new users will be created when they log in for the first time.
During the transition period, users can log in to CA Flowdock using both their SSO identity and their CA Flowdock password. Once the migration period is over, an administrator can disable CA Flowdock password logins and may remove those users who have not migrated from the organization. These users will be able to rejoin the organization when they complete the migration.
CA Flowdock user sessions are kept running for a long time. With a normal login, as long as the user opens CA Flowdock once every two weeks, they will stay logged in. If a user selects Remember me when they login, their sessions will stay active for three months.
Because of the long running sessions, CA Flowdock supports deprovisioning. When a user is removed from an SSO provider, they are removed from the SSO-enabled CA Flowdock organization at the same time. They are also removed from any possible child organizations. If the user is logged in to CA Flowdock, they will no longer be able to access any flows or people that are in your organization. If their SSO account is re-enabled, they can rejoin with their old CA Flowdock account.
Some SSO providers support suspending user accounts and reflect this through SCIM. Suspending a user will log them out of all of their sessions, which will require them to re-authenticate through the SSO provider.
Note that not all SSO providers support SCIM for deprovisioning. Deprovisioning is not supported with these providers. CA Flowdock support can help clarify whether SCIM is supported with a specific SSO provider.
Administrators of an SSO-enabled organization can create non-SSO users from the organization’s users list. These types of accounts can be useful for things like bots.
Users who are always allowed to log in using password or other non-SSO (such as CA Agile Central and Google) methods:
- Users in your organization that have no SSO identity connected