Single Sign On

Figure Eight Single Sign On (SSO) feature lets users access the Figure Eight platform using
one login. Customers who choose to integrate via SSO can validate usernames and passwords
against their corporate user database rather than Figure Eight managing separate passwords
for each user.
Federated authentication using Security Assertion Markup Language (SAML) lets you send
authentication and authorization data between Figure Eight and your corporate network. To
enable Single Sign On for your team, contact your Customer Success Manager.

Benefits of Single Sign On

  1. Users have to memorize fewer passwords, thereby increasing usage and time savings.
  2. All password policies that you’ve established for your corporate network are in effect increasing security for users who have access to sensitive data.

Integration Details

In order to integrate with Figure Eight SSO, the following details are required from each

Provide XML metadata for setup

Option 1:

Provide a URL with IdP metadata (See example below)

Option 2:

Send XML metadata file to Customer Success representative (See example below).
Note: Replace ${certificate} with client certificate


<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false"protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
  <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" />
  <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="" />


Setup SAML assertion details in IdP

  • Figure Eight requires the SAML assertion to follow this template.
  • Variables starting with $ are user specific
  • Variables starting with # are Identity Provider (IdP) / customer specific

Important Notes:

  • You will need to specify the following URL in your IdP with customer name
  • Figure Eight enforces the "Conditions" field with "NotBefore" and "NotOnOrAfter" values in assertions. If the assertion comes to Figure Eight before one hour the "NotBefore" timestamp value or one hour after the "NotOnOrAfter" timestamp value, the assertion will fail. The one hour standard delta is to account of system time lag or other possible time differences. The customer will be responsible to post the assertion within the time values sent to Figure Eight.

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="#{id}"IssueInstant="#{dateAutogeneratedFromIdP}" Version="2.0">
  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">#{entityId}</saml2:Issuer>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">${emailAddress}</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml2:SubjectConfirmationData NotOnOrAfter="#{dateAutogeneratedFromIdP}"Recipient="{customer-name[oracle|twitter|etc]}"/>
  <saml2:Conditions NotBefore="#{dateAutogeneratedFromIdP}"NotOnOrAfter="#{dateAutogeneratedFromIdP}">
  <saml2:AuthnStatement AuthnInstant="#{dateAutogeneratedFromIdP}">

    <saml2:Attribute Name="team_id"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValuexmlns:xs=""xmlns:xsi="" xsi:type="xs:string">${uuid}
    <saml2:Attribute Name="emailAddress"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValuexmlns:xs=""xmlns:xsi="" xsi:type="xs:string">${emailAddress}

Provide Redirect URLs

Figure Eight can optionally configure the following URLs so that users are redirected back to their corporate network when required.
If these URLs are not provided, the user is redirected to default Figure Eight pages.
Redirect Error URL: Provide a URL the user should be redirected to when an authentication /
authorization error occurs
Redirect logout URL: Provide a URL the user should be redirected when the user is logged out
of the Figure Eight platform

Next Steps: Configure SSO in Figure Eight

Once the necessary information has been provided by a customer, Figure Eight admins will
make necessary configurations and enable SSO for all users in the organization.
Figure Eight offers the flexibility to enable SSO two ways, these are configuration settings on
the Figure Eight side.
Domain level (recommended): If this mode is used, anyone from a customer with specific
email domain will be required to use SSO and no user with the same email domain has access
to Figure Eight through Figure Eight credentials.
Org level: If this mode is used, only users who are in the organization associated with the
customer will be able to use SSO. Other users using their corporate emails to login to Figure
Eight continue to use Figure Eight credentials, but they will not have access to the organization
data or jobs. Example, if is part of Figure Eight Org named “Company” he will
use SSO to access the platform. However, if is not part of Figure Eight Org
named “Company” he will not be able to use SSO but can log in using Figure Eight credentials.

Additional Instructions:

  1.  Please note SSO login is only supported for the following scenarios:
    • When the user logs in as a job requestor and is accessing any page on
    • When the user has a job requestor account and is trying to access an internal work link to work as an internal contributor.


Figure 1. How to enable the Internal Channel option

Was this article helpful?
12 out of 12 found this helpful

Have more questions? Submit a request
Powered by Zendesk