Overview
Single Sign-On (SSO) allows your team members to authenticate using your organization’s identity provider (IdP). This provides centralized authentication management and enhanced security.What is SSO?
Single Sign-On allows users to:| Benefit | Description |
|---|---|
| One Password | Use existing corporate credentials |
| Centralized Access | IT controls access from one place |
| Automatic Provisioning | Users created automatically on first login |
| Automatic Deprovisioning | Access revoked when removed from IdP |
| Enhanced Security | Leverage your IdP’s security features |
Supported Identity Providers
Royaltyport supports a wide range of identity providers:Popular Providers
Popular Providers
- Okta (SAML & OIDC)
- Entra ID / Azure AD (SAML & OIDC)
- Google Workspace (SAML & OIDC)
- OneLogin
- JumpCloud SAML
- Auth0 SAML
- Duo SAML
Enterprise Providers
Enterprise Providers
- Microsoft AD FS
- PingFederate
- PingOne
- CyberArk SAML
- Oracle
- Salesforce
- VMware Workspace One
- NetIQ SAML
Other Providers
Other Providers
- ADP (OIDC)
- CAS SAML
- ClassLink SAML
- Cloudflare SAML
- Clever (OIDC)
- Keycloak SAML
- LastPass SAML
- Login.gov (OIDC)
- miniOrange SAML
- Rippling
- Shibboleth
- SimpleSAMLphp SAML
Custom Configuration
Custom Configuration
- Custom SAML 2.0
- Custom OpenID Connect (OIDC)
The setup process varies by identity provider. The onboarding process provides step-by-step instructions specific to your chosen provider during configuration.
Enabling SSO
Step 1: Add and Verify Your Domain
You must verify at least one domain before configuring an identity provider. The logged-in user must have an email address belonging to the domain they are trying to verify (e.g., to verifyyourcompany.com, you must be logged in as user@yourcompany.com).
Add Domain
Go to Organization Settings → Security and click Add Domain. Enter your email domain (e.g.,
yourcompany.com).Open Verification
Click the Verify button next to your domain. This opens a new page with DNS verification instructions.
Add DNS Record
Follow the instructions to add a TXT record to your domain’s DNS settings. The exact steps depend on your DNS provider.
Wait for Verification
You can wait on the verification page for automatic detection, return to the Security settings page and check periodically, or close the page entirely — all organization admins will receive an email once the domain is verified. DNS changes can take up to 48 hours to propagate.
Step 2: Configure Your Identity Provider
After at least one domain is verified, you can configure your identity provider:- Click Configure Provider in the Connection section
- This opens the setup portal
- Select your identity provider (e.g., Google Workspace, Okta, Azure AD)
- Follow the step-by-step instructions provided.
- Creating an application in your IdP
- Configuring SAML settings
- Uploading certificates or metadata
- Testing the connection
Step 3: Enable SSO
After your provider is configured and active:- Return to Royaltyport Organization Settings → Security
- Toggle Enable SSO to allow SSO sign-in
- Members with verified domain emails can now sign in via SSO
Step 4: Enforce SSO (Optional)
To require SSO for all users with your domain email:- Toggle Enforce SSO
- Password login will be disabled for users with your domain email
- New sign-ups from your domain are blocked (must use SSO)
SSO and External Collaborators
SSO is enforced at the organization level. When SSO is enforced:- Organization members — All organization members must authenticate via SSO. New organization members cannot be created without SSO.
- Project team members — External collaborators from other domains can still be invited as project team members. They authenticate with their own credentials (password or their own organization’s SSO).
Domain Verification
| Status | Description |
|---|---|
| Pending | Verification in progress |
| Verified | Domain ownership confirmed |
| Failed | Verification unsuccessful (check DNS settings or retry) |
SSO Status
The Security page displays:| Field | Description |
|---|---|
| Connection Name | The name of your configured IdP |
| Connection Type | SAML |
| Status | Active or Inactive |
User Experience
First-Time SSO Login
- User visits Royaltyport login page
- Enters email address
- Redirected to organization’s IdP
- Authenticates with corporate credentials
- Redirected back to Royaltyport
- Account created automatically or linked to existing account
Returning SSO Login
- User visits Royaltyport login page
- Enters email address
- Redirected to IdP (may be instant if already logged in)
- Redirected back to Royaltyport, logged in
Permission Requirements
| Action | Required Role |
|---|---|
| View SSO settings | Admin, Owner |
| Configure SSO | Admin, Owner |
| Enable/disable SSO | Admin, Owner |
| Verify domain | Admin, Owner |
Troubleshooting
SSO login fails
SSO login fails
Return to the portal via Configure Provider to check your IdP configuration. Verify the certificate hasn’t expired and that the connection status is Active.
Domain verification fails
Domain verification fails
DNS changes can take up to 48 hours to propagate. Verify the TXT record is correctly added to your domain’s DNS settings.
User not provisioned
User not provisioned
Ensure the user’s email matches a verified domain. They may need to sign in via SSO first to create their account.
Locked out of organization
Locked out of organization
Contact Royaltyport support if all Owners are locked out due to SSO issues.