Single sign-on (SSO)
Set up SAML or OIDC SSO for your workspace.
Enterprise SSO lets your team sign in to SchemaForce through your own identity provider, using either SAML or OIDC. It's configured once by the workspace owner and applies to your workspace.
SSO is a Business feature
Single sign-on is available on the Business tier and is set up by the workspace owner. See Plans & billing for what each tier includes.
Setting up SSO
Claim your email domain
Claim the email domain your team signs in with. This is what routes members to your identity provider.
Configure your identity provider
Open the hosted setup portal and configure your identity provider — SAML or OIDC. You'll exchange the usual connection details between SchemaForce and your IdP.
Check status
Check the connection status until it shows active. The connection isn't usable until it's active.
Turn on enforcement and JIT (optional)
Once the connection is active, you can optionally turn on Enforce SSO and just-in-time (JIT) provisioning.
Test SSO login
Run a test sign-in to confirm members are routed to your IdP and land back in the workspace.
Enforcement
Enforcement is per-workspace. When a workspace enforces SSO, a member without a recent SSO sign-in sees a Continue with SSO screen for that workspace. Other workspaces are unaffected — enforcement applies only to the workspace that turns it on.
Just-in-time (JIT) provisioning
With JIT provisioning on, new users who sign in through your IdP are automatically added to the workspace — there's no separate invite step for them.
End-user sign-in
A member signs in by entering their work email. SchemaForce matches the email domain and routes them to your identity provider to authenticate.
Removing SSO
Removing SSO tears the connection down. Any members who were provisioned through SSO get an email to set a password, so they can keep signing in after the connection is gone.