Overview
Fentu FSM supports Single Sign-On (SSO), allowing your users to log in with the same identity they use across your organization — no separate Fentu password required. SSO is configured at the administration level and applies to all users in your organization.SSO requires an active subscription tier that includes identity provider integration. Contact your Fentu account manager to confirm your plan supports SSO.
Supported Identity Providers
Fentu FSM uses the SAML 2.0 and OpenID Connect (OIDC) protocols, compatible with major identity providers:| Provider | Protocol | Notes |
|---|---|---|
| Microsoft Entra ID (Azure AD) | SAML 2.0 / OIDC | Recommended for Microsoft 365 organizations |
| Okta | SAML 2.0 / OIDC | |
| Google Workspace | OIDC | |
| OneLogin | SAML 2.0 | |
| Ping Identity | SAML 2.0 | |
| Custom IdP | SAML 2.0 | Any SAML 2.0-compliant provider |
How SSO Works
When SSO is enabled, Fentu FSM acts as the Service Provider (SP). Your identity provider (IdP) handles authentication. The flow is:- User navigates to your Fentu FSM login URL
- Fentu FSM redirects the user to your IdP
- User authenticates with their existing organizational credentials
- IdP returns a signed assertion to Fentu FSM
- Fentu FSM validates the assertion and logs the user in
User accounts are still managed in Fentu FSM (roles, permissions, branch assignments). SSO only handles the authentication step — it does not provision or deprovision users automatically unless SCIM is also configured.
Configuring SSO
Step 1 — Gather Fentu FSM SP Metadata
Step 2 — Configure Your Identity Provider
Register Fentu FSM as an application in your IdP using the SP metadata from Step 1. The exact steps depend on your provider:Microsoft Entra ID (Azure AD)
Microsoft Entra ID (Azure AD)
- Open the Azure Portal and go to Entra ID > Enterprise Applications > New Application > Create your own application
- Select Integrate any other application you don’t find in the gallery
- Under Single sign-on, choose SAML
- Set Identifier (Entity ID) and Reply URL (ACS URL) from the Fentu FSM SP metadata
- Under Attributes & Claims, map:
user.mail→emailuser.givenname→firstNameuser.surname→lastName
- Download the Certificate (Base64) and the App Federation Metadata URL
Okta
Okta
- In the Okta Admin Console, go to Applications > Create App Integration
- Select SAML 2.0
- Set Single sign-on URL to the Fentu ACS URL
- Set Audience URI (SP Entity ID) to the Fentu Entity ID
- Under Attribute Statements, map:
email→user.emailfirstName→user.firstNamelastName→user.lastName
- Download the Identity Provider Metadata XML
Google Workspace
Google Workspace
- In the Google Admin Console, go to Apps > Web and mobile apps > Add App > Add custom SAML app
- Download the IdP metadata from Google on the first screen
- Set ACS URL and Entity ID from the Fentu FSM SP metadata
- Under Attribute mapping, add:
email→ Basic Information > Primary emailfirstName→ Basic Information > First namelastName→ Basic Information > Last name
Step 3 — Enter IdP Details in Fentu FSM
Upload or Paste IdP Metadata
Either upload the IdP metadata XML file, or enter the values manually:
| Field | Description |
|---|---|
| IdP Entity ID | Issuer URL from your identity provider |
| IdP SSO URL | The IdP endpoint where users are sent to authenticate |
| IdP Certificate | X.509 certificate used to sign SAML assertions |
| Attribute Mapping — Email | IdP attribute that contains the user’s email address |
| Attribute Mapping — First Name | IdP attribute for first name |
| Attribute Mapping — Last Name | IdP attribute for last name |
Save and Test
Click Save, then click Test SSO Connection to verify the configuration before enabling it for all users
Logging In with SSO
Once SSO is enabled, the login flow changes for your users:Enter Email
Type your organizational email address. Fentu FSM detects the SSO domain and shows the “Sign in with SSO” button
Managing SSO Users
User Provisioning
SSO handles authentication only. User accounts must still be created in Fentu FSM before users can log in:- Create the user in Administration > Users
- Set the user’s email address to exactly match the email in your IdP
- Assign the appropriate role and branch
- The user does not need to set a Fentu password when SSO is active
The email address is the key that links the Fentu user account to the IdP identity. If they do not match exactly, authentication will fail.
Disabling SSO for a User
To allow a specific user to log in with a local password (for example, an emergency admin account):- Open the user record in Administration > Users
- Toggle off “Require SSO”
- Set a temporary password for the user
- The user can now log in directly without going through the IdP
Troubleshooting SSO
| Symptom | Likely Cause | Resolution |
|---|---|---|
| ”User not found” after IdP redirect | Email in IdP does not match Fentu user record | Align email addresses between IdP and Fentu |
| ”Invalid signature” error | Wrong IdP certificate entered | Re-download and upload the IdP signing certificate |
| Redirect loop on login | ACS URL misconfigured in IdP | Verify the ACS URL matches https://app.fentu.io/saml/acs |
| Users can’t log in after enabling SSO | SSO enabled before testing | Use admin fallback account to correct the configuration |
| ”Attribute not found” for name | Attribute mapping not set | Check attribute mapping in both IdP and Fentu SSO settings |
Related Documentation
Two-Factor Authentication
Add a second layer of security on top of SSO or password login
User Management
Create and manage user accounts, roles, and branch assignments