Last updated:

Set up single sign-on (SSO) with SafetyCulture

Learn how to set up single sign-on (SSO) for your SafetyCulture organization via the web app.

Why set up single sign-on?

Single sign-on (SSO) is a great way to mitigate site access risks and reduce password fatigue from different username and password combinations. With SafetyCulture, you can set up SSO with any authentication solution that utilizes the Security Assertion Markup Language (SAML) 2.0 standard. This includes some of the most common solutions such as Active Directory (ADFS, Azure), PingFederate, Google, and Okta.

Please note that our customer support team can only provide limited help for single sign-on, user provisioning, and integrations via third-party platforms such as Power Automate, Power BI, and Zapier. If your organization is on the Enterprise Plan, please contact your customer success manager for assistance.

How do I get started with single sign-on?

You just need to make sure your organization is on the Premium Plan or Enterprise Plan and that your single sign-on solution utilizes the Security Assertion Markup Language (SAML) 2.0 standard. If you're not sure, you can confirm with your IT team.

If your organization uses Azure Active Directory for single sign-on, and you want to set up JIT user provisioning, you can also refer to Microsoft's support article for instructions.

Please note that the Microsoft Gallery app currently doesn't support SCIM user provisioning.

Single sign-on connections are organization-specific. If you’re a part of multiple organizations and want to set up a single SSO connection for all your organizations, please contact your Customer Success Manager for assistance.

Single sign-on options

You can set up either SAML or ADFS SSO with one of the following options:

  • Service Provider (SP)-initiated SSO (recommended): A user that tries to log in via SafetyCulture will be automatically redirected to your company's SSO portal for authentication. A successful authentication will automatically redirect the user back to SafetyCulture.

  • Identity Provider (IdP)-initiated SSO: A user that tries to log in via SafetyCulture must start from your company's SSO portal for authentication. A successful authentication will take the user to SafetyCulture.

Set up single sign-on (SSO)

  1. Log in to the web app.

  2. Click your organization name on the lower-left corner of the page and select Organization settings.

  3. Select Security on the top of the page.

  4. Click Set up in the "Single sign-on (SSO)" box. Set up single sign-on (SSO) via the web app.

  5. Select which SSO connection you want to use and configure your connection accordingly.

  6. Click Complete setup.

  7. Click Close.

Configure Generic SAML

SafetyCulture uses Auth0 as the SSO broker, which requires the following settings:

  • Assertion-consumer Service URL (Application Callback URL)

  • Entity ID (Audience)

This information is provided during the SSO setup process within the SafetyCulture web app. If the Identity Provider offers a choice for bindings, you should select "HTTP-Redirect" for the authentication request.

An example of a SAML single sign-on setup on the web app.

Active Directory Federation Services (ADFS)

Active Directory Federation Services (ADFS) is a commonly used SSO solution that's created by Microsoft. ADFS manages authentication through a proxy service, hosted between a company's Active Directory and SafetyCulture.

ADFS Web Services Federation

Follow the instructions to connect SafetyCulture as an app to ADFS and apply the following settings where required:

  • Realm Identifier:

    urn:auth0:safetyculture

  • Relying Party Trust identifier:

    urn:auth0:safetyculture

  • Endpoint:

    https://safetyculture.au.auth0.com/login/callback

ADFS SAML WebSSO

Follow the instructions to add SafetyCulture as a relying party and apply the following settings where required.

  • Display Name:

    urn:auth0:safetyculture.au.auth0.com

  • Relying party trust identifier:

    urn:auth0:safetyculture.au.auth0.com

  • Post-back URL:

    https://safetyculture.au.auth0.com/login/callback?connection={name_provided_in_app}

  • Entity ID:

    urn:auth0:safetyculture

Frequently asked questions

Yes, you can restrict your organization's users to logging in via your SSO provider by setting your SSO login type to "Allow SSO login only".

Yes, you can do so by updating your organization's SSO login type setting to "Enforce SSO for named domains". Once selected, the setting will enforce SSO login based on a user's account email.

  • If a user's email domain matches the ones configured for their organization's SSO connection, they can only log in using their SSO account.

  • If a user's email domain doesn't match the ones configured for their organization's SSO connection, they can log in using their password and still have the option of using their SSO account if it applies to them.

It's likely that you haven't set the "email" attribute or claim in your SAML responses. Please check if you have an attribute called "email" in your SAML responses. If the email in the response isn't called "email", please rename the field to "email".

If the above steps still don't resolve the problem, please reach out to your point of contact from SafetyCulture for assistance.

Once the single sign-on for your organization is set up successfully, you can enable IdP-initiated login via the web app:

  1. Log in to the web app.

  2. Click your organization name on the lower-left corner of the page and select Organization settings.

  3. Select Security on the top of the page.

  4. Click Pencil iconEdit in the "Single sign-on (SSO)" box.

  5. Turn IdP initiated login on. The Identity Provider (IdP)-initiated login setting for single sign-on with SafetyCulture.

  6. Click Save changes.

Please reach out to your point of contact from SafetyCulture for assistance.

No, you don't need to verify the email domains for your organization's SSO to work. However, if you want to use just-in-time (JIT) provisioning for your organization, you'll need to verify the email domains.

To update your SSO connection, you would need to delete it and then set it up again with the updated information:

  1. Log in to the web app.

  2. Click your organization name on the lower-left corner of the page and select Organization settings.

  3. Select Security on the top of the page.

  4. In the "Single sign-on (SSO)" section, click Pencil iconEdit.

  5. Click Delete SSO connection. Delete your existing single sign-on (SSO) setup via the web app.

  6. In the pop-up window, click Delete.

Need more help?
In this article