SSO Configuration
Introduction
This release introduces SSO Configuration in Unifize.
Workspace admins can now set up Single Sign-On using SAML 2.0, connecting Unifize to their company’s identity provider — such as Microsoft Entra ID, Okta, or Google Workspace. Once configured, users in the org are authenticated through the identity provider instead of a Unifize password.
A single Unifize org can now support more than one SSO configuration. Each configuration is mapped to specific email domains, so organisations with users spread across multiple identity provider tenants can authenticate all of them through SSO without needing separate Unifize orgs.
Problems This Solves
1. Organisations with users across more than one identity provider tenant could not fully adopt SSO
Each Unifize org was previously limited to one SSO configuration. If an organisation managed users across more than one identity provider tenant — for example, separate Microsoft Entra ID directories for different subsidiaries — it was not possible to configure SSO so that users from all tenants could log in through SSO. Users in the additional tenants were excluded.
Admins can now add multiple SSO configurations to a single org. Each configuration has its own domain mapping, identity provider credentials, and certificate. Unifize checks a user’s email domain at login and routes them to the matching configuration automatically.
2. There was no way to create a direct login link for a specific tenant
The Sign on URL is a direct link that triggers SSO login for an org. With only one configuration per org this was unambiguous. Once multiple tenants are supported, the URL defaults to the first configured tenant, making it impossible to send users directly to a specific tenant’s login without a workaround.
An optional domain parameter has been added to the Sign on URL format. Appending the domain of a specific tenant to the URL routes users directly to that tenant’s identity provider. The previous URL format continues to work and defaults to the first configured tenant for backward compatibility.
3. Updating a user’s email in Unifize did not move them to the correct SSO tenant
When a user’s email address was updated in Unifize to one whose domain belongs to a different SSO tenant, the system updated the email but left the user associated with their original tenant. Their login would then route incorrectly.
Unifize now re-evaluates which tenant a user belongs to when their email is updated. If the new email domain maps to a different tenant, the user is migrated to that tenant automatically. No manual action is needed from the admin.
4. SSO configuration field labels did not match the identity provider’s setup interface
When configuring SSO, admins copied values between Unifize and their identity provider’s admin console. The field names in Unifize — such as Service Provider Entity ID and Org SSO URL — did not match the labels used in Microsoft’s SAML configuration page. This caused confusion when mapping values between the two systems.
All SSO configuration field labels in Unifize have been renamed to match Microsoft’s SAML interface. Admins can now find the exact matching field name in both Unifize and their identity provider console without translation.
What’s Included in this Release
Multiple SSO configurations per org. Admins can add more than one SSO tenant to a single Unifize org from Org Settings → SSO. Each tenant has its own Domain, Microsoft Entra Identifier, Login URL, and Certificate (Base64).
Automatic domain-based routing. When a user logs in, Unifize checks their email domain against all configured tenants and routes them to the correct identity provider. No manual selection is required.
Sign on URL domain parameter. A new optional domain parameter on the Sign on URL lets admins create direct login links for specific tenants: /sso-redirect?slug=<nick-name>&domain=<domain>. The previous URL format continues to work.
Automatic tenant migration on email change. When a user’s email is updated in Unifize and the new domain belongs to a different configured tenant, the user is automatically moved to the correct tenant.
Updated field labels. SSO configuration field labels have been renamed to match Microsoft’s SAML setup interface. A full reference of old and new names is included in the admin guide.
Note: The Sign on URL displayed in the Unifize settings page currently shows the previous format only. The domain-scoped format is functional but must be constructed manually.
Before vs After
Before
After
Only one SSO configuration was allowed per Unifize org.
Multiple SSO configurations are supported per org, each with its own domain, credentials, and certificate.
Organisations with users across multiple identity provider tenants could not route all users through SSO.
All users, regardless of which tenant they belong to, can be authenticated through SSO under a single org.
There was no way to create a direct login link for a specific tenant when multiple were configured.
An optional domain parameter on the Sign on URL routes users directly to a specific tenant’s identity provider.
Updating a user’s email in Unifize did not move them to the correct SSO tenant.
Unifize automatically migrates users to the correct tenant when their email domain changes.
SSO field labels (Service Provider Entity ID, Org SSO URL, Entity ID, SSO URL, Certificate) did not match Microsoft’s SAML setup interface.
Field labels now match Microsoft’s SAML terminology: Reply URL (ACS URL), Sign on URL, Microsoft Entra Identifier, Login URL, Certificate (Base64).
Last updated