This guide is the fourth step for adding SSO to your Frontegg application. The guide is meant for users from a customer account to follow.

See the Account Environment Guide for instructions on how a vendor can do the follow steps on behalf of their customer accounts.

After following this guide, users from customer accounts can access the SSO settings in the Admin Portal and configure their identity provider.

  1. Enable SAML or OpenID Connect in Login Box
  2. Configure SAML or OpenID Connect
  3. Enable SSO for Admin Portal
  4. 👉 Configure customer identity provider 👈


Users need information from their customer IDP account to complete this step. They need either the XML file or the SSO Endpoint and Public Certificate. See guides below for help finding that information for specific IDPs.

Configure Identity Provider

The user should follow the steps below to configure the identity provider in the Admin Portal for a customer account. You can guide them through it or just send them a link to these instructions.

STEP 1: Find Admin Portal

The user should go to the Admin Portal ➜ SSO.


To access the Admin Portal, review the Admin Portal introductory guide.



SSO Permissions

If a user cannot see SSO in the Admin Portal, make sure they are assigned a role with SSO permissions.

STEP 2: Configure IDP

Click the add new button to configure an identity provider and complete the form.


We recommend selecting automatic. It is the same as manual but less prone to implementation errors.

After selecting automatic, the user needs to upload the XML file from the identity provider.


If the IDP does not offer an XML download, the user may need to copy the XML data from the IDP and save it to an .xml file then upload that file to the Admin Portal.

If the user selects manual, they need to enter the SSO Endpoint and Public Certificate from the identity provider.

For examples and explanations, follow the relevant configuration guide below.

STEP 3: Claim Domain

After configuring the identity provider, the user needs to claim one or more domains for the customer account.


The user should claim a domain if the customer account uses Frontegg for authentication in an application hosted on that domain.

The user needs to copy the DNS record info into a new TXT record with their DNS provider.


Users can configure multiple domains for a customer account. This might be useful if the customer has multiple environments for development or multiple production applications on separate domains.


Control which users can configure SSO and therefore claim domains by configuring the Roles and Permissions.

STEP 4: Manage Authorization

Select which Frontegg roles should be assigned to SSO users by default and also map IDP groups to Frontegg roles.

Roles you assign to users through SSO will apply regardless of whatever additional roles you assign to those users.

Default SSO Roles

Assign default roles to all SSO users by adding one or more Frontegg roles from your list of predefined roles.


Whichever roles you include in the input, those roles will be assigned to all SSO users.

Mapping Groups to Roles

The customer account can also map IDP groups to Frontegg roles to automatically assign Frontegg roles to users based on which IDP group the user belongs to.

For the mapping to work, first you should configure your IDP so that the name of the group key is groups.

Then, in the SSO form in the Portal, they should enter a group name that corresponds to a group name with their IDP.


Here is an example of how to find IDP group names in Okta.

The roles available for you to map to your IDP groups come from a predefined list of roles.

SSO Status

After configuring SSO, the customer account can manage the settings through the Admin Portal.

Be sure to toggle new connection on.



You can map more than one role to each SAML identity provider group.

Did this page help you?