Skip to main content

Overview

Single Sign-On (SSO) allows your team members to authenticate using your organization’s identity provider (IdP). This provides centralized authentication management and enhanced security.
SSO functionality is coming soon. This page describes the planned features.
SSO Settings

Accessing SSO Settings

1

Go to Settings

Navigate to your organization’s Settings.
2

Click Security

Select the Security tab.
3

View SSO Section

The SAML Single Sign-On section is at the top.

What is SSO?

Single Sign-On allows users to:
BenefitDescription
One PasswordUse existing corporate credentials
Centralized AccessIT controls access from one place
Automatic ProvisioningUsers created automatically on first login
Automatic DeprovisioningAccess revoked when removed from IdP
Enhanced SecurityLeverage your IdP’s security features

Supported Identity Providers

SSO will support SAML 2.0 compatible identity providers including:
ProviderStatus
OktaPlanned
Azure ADPlanned
Google WorkspacePlanned
OneLoginPlanned
Other SAML 2.0Planned

Enabling SSO

These steps will be available when SSO launches.
1

Enable SSO Toggle

Turn on the Enable SSO switch.
2

Configure Identity Provider

Enter your IdP settings (Entity ID, SSO URL, Certificate).
3

Verify Domain

Verify ownership of your email domain.
4

Test Configuration

Test the SSO connection before enforcing.
5

Enforce SSO

Optionally require all users to authenticate via SSO.

SSO Configuration

Required Settings

SettingDescription
Entity IDYour IdP’s entity identifier
SSO URLThe URL where users are redirected for authentication
CertificateYour IdP’s X.509 certificate for signature verification

Optional Settings

SettingDescription
SLO URLSingle Logout URL for sign-out propagation
Enforce SSORequire all users to authenticate via SSO
Auto-provisionAutomatically create users on first SSO login

Domain Verification

Before enabling SSO, you’ll need to verify ownership of your email domain:
1

Add Domain

Enter your organization’s email domain (e.g., yourcompany.com).
2

Add DNS Record

Add the provided TXT record to your domain’s DNS.
3

Verify

Click Verify to confirm domain ownership.

SSO Enforcement

Soft Enforcement

Users can choose to sign in with SSO or email/password.

Hard Enforcement

All users with your domain’s email must use SSO. Email/password login is disabled.
Before enforcing SSO, ensure all users can successfully authenticate through your IdP. Locked out users will need admin assistance.

User Experience

First-Time SSO Login

  1. User visits Royaltyport login page
  2. Enters email address
  3. Redirected to organization’s IdP
  4. Authenticates with corporate credentials
  5. Redirected back to Royaltyport
  6. Account created (if auto-provisioning enabled) or linked

Returning SSO Login

  1. User visits Royaltyport login page
  2. Enters email address
  3. Redirected to IdP (may be automatic if already logged in)
  4. Redirected back to Royaltyport, logged in

Permission Requirements

ActionRequired Role
View SSO settingsAdmin, Owner
Configure SSOAdmin, Owner
Enable/disable SSOAdmin, Owner
Verify domainAdmin, Owner

Security Considerations

Plan for certificate rotation before your IdP certificate expires.
Maintain at least one Owner account that can access without SSO in case of IdP issues.
Always test SSO with a few users before enforcing it organization-wide.
Use audit logs to monitor for failed SSO authentication attempts.

Troubleshooting

Check that your IdP configuration matches the settings in Royaltyport. Verify the certificate hasn’t expired.
Ensure auto-provisioning is enabled or manually invite the user before they attempt SSO login.
DNS changes can take up to 48 hours to propagate. Verify the TXT record is correctly added.
Contact Royaltyport support if all Owners are locked out due to SSO issues.

Audit Logs

Track organization activity.

Member Roles

Understanding organization roles.

Member Invites

Invite new members.

General Settings

Basic organization configuration.