SSO (Single Sign-On)
Single Sign-On (SSO) is an authentication mechanism that lets a user's identity be managed by a single trusted identity provider, through which the user can access multiple service providers. SSO reduces password sprawl, centralizes access control, and supports common security and compliance requirements.
Files.com supports SP (Service Provider) initiated SSO flow and integrates with the most popular SSO providers. Contact us if you are looking for an IdP initiated SSO flow or any other integration in this context.
SSO integrations are available on Power and Enterprise plans. Each SSO-enabled plan carries different SSO capacities and options, so review each plan to determine which best fits your needs.
Supported SSO Providers
Files.com integrates with the following SSO providers. Several SSO integrations also support user and group provisioning as configured by the SSO provider application.
| Provider | Auth + On-demand Provisioning | SCIM Provisioning |
|---|---|---|
| Auth0 | ✔️ | |
| Box | ✔️ | |
| Dropbox | ✔️ | |
| Duo | ✔️ | ✔️ |
| ✔️ | ||
| Idaptiv | ✔️ | ✔️ |
| JumpCloud | ✔️ | ✔️ |
| LDAP | ✔️ | ✔️ |
| Microsoft Entra ID | ✔️ | ✔️ |
| Microsoft Active Directory | ✔️ | ✔️ |
| Okta | ✔️ | ✔️ |
| SAML (any provider) | ✔️ | ✔️ |
| Slack | ✔️ | |
| OneLogin | ✔️ | ✔️ |
Enabling SSO Providers
You can add as many providers as you want.
Files.com supports both SAML and OpenID Connect (OIDC) integration with services like Auth0, Microsoft Entra ID, OneLogin, and Okta. This allows for the secure exchange of authentication and authorization data between an identity provider (IdP) and a service provider (SP).
Auth0, Microsoft Entra ID, OneLogin, and Okta require additional configuration to complete the initial setup. Refer to the provider's support documentation to locate your Subdomain, Client ID, and Client Secret.
Auth0, Microsoft Entra ID, OneLogin, and Okta also support advanced provisioning options. Click Advanced to expand the configuration settings and configure the provisioning settings.
You cannot use the same SSO provider settings (for example, Application ID or Client ID, Tenant ID, Secret) in more than one Files.com site.
Using Multiple SSO Providers
You can use more than one Single Sign-On (SSO) provider on your site. Each user is associated with one SSO provider, or with no SSO provider. To give the same person access through more than one SSO provider, create two Users on Files.com for that person.
Using Multiple Instances of Same SSO Provider
You can configure multiple instances of the same IdP or SSO provider on your site using SAML. This supports separate authentication setups for different teams or business units within an organization.
For SSO providers that Files.com supports with OAuth, you can configure only one OAuth instance of each provider on a site. Multiple OAuth instances of the same provider are not supported on a single site because they conflict with each other. When you need additional instances of the same SSO provider, configure them using SAML.
Use the Display Name field in the Add SSO Provider screen to identify each SSO instance on the login page and in user authentication details.
If you need separate Files.com applications for different teams, departments, subsidiaries, brands, or projects, we recommend using Child Sites. Each child site runs on its own subdomain with independent content and settings while remaining associated with the primary account. Child sites simplify user management, including provisioning and deprovisioning, by keeping authentication and site settings separate for each group.
Automated Provisioning with SCIM and Just-in-Time (JIT)
Files.com supports automated user provisioning through SCIM provisioning and Just in Time (JIT) provisioning. These provisioning methods automatically create and manage user accounts when integrating your identity provider with Files.com.
SCIM provisioning is the recommended approach and enables continuous synchronization of users and groups between your identity provider and Files.com. It supports automatic user creation, updates to user attributes, group assignments, and account deactivation. You can also use SCIM provisioning with SAML (any provider) as a SAML-based integration.
You configure SCIM provisioning by establishing a SAML-based connection between your identity provider and Files.com. Once the integration is set up, user provisioning and lifecycle management run through your identity provider.
JIT provisioning is a simpler alternative where user accounts are created automatically the first time a user signs in through SSO. JIT requires minimal setup but does not provide the same level of ongoing user lifecycle management as SCIM provisioning.
See the Automated Provisioning page for more details.
Assigning User SSO Methods
After an SSO provider has been enabled for a site, Site Administrators grant SSO access on a per-user basis. This can be done when creating a new user or by modifying an existing user's settings. Each user can have only one SSO provider assigned.
To assign SSO to an existing user, update the Authentication Method in the user's details and select the SSO provider.
Files.com also lets you Bulk Import or Bulk Create users with any site-enabled SSO providers. To do this, fill the authentication_method column with the name of the SSO provider.
You can have a mix of SSO-authenticated and Files.com password-authenticated users on your site. For example, your internal users can authenticate through an SSO provider while your external vendors and partners authenticate with Files.com passwords.
Site Administrators can change or remove a user's ability to authenticate through SSO at any time by selecting Password from the dropdown list.
When selecting a new SSO provider for authentication, first confirm that the user's username already exists in the IdP to avoid authentication issues.
We strongly recommend keeping at least one Site Administrator configured with the password option as the authentication method instead of assigning every Site Administrator to use SSO. A password-authenticated Site Administrator account prevents you from getting locked out of your Files.com site if you run into issues with your IdP or SSO integration.
Logging in With SSO
Once you have enabled an SSO provider, a Sign in with... option for that provider appears on your site's login page. Users click the service button to be authenticated through the external service and redirected to their Files.com account.
When logging into Files.com using the SSO provider for the first time, users are prompted to authorize the connection of their provider account with Files.com.
If a user does not have a current session with the SSO provider, they are prompted to log in to that provider's service before the Files.com authentication is verified.
Hiding an SSO Provider From the Login Page
Site Administrators can hide a provider's Sign in with... button from the Files.com login page on a per-provider basis. Hiding the button does not disable the provider. Provisioned users can still authenticate through the provider's own app panel or any other entry point that initiates the SSO flow, but the button no longer appears on the login page. This is useful when SSO applies to only a small subset of users on the site, and avoids confusion for users on the login page who do not use SSO.
Disabling an SSO Integration
Disabling an SSO provider revokes access for the user accounts configured to authenticate through that SSO provider. The login page no longer shows the login option for that provider.
To disable an SSO provider, edit the provider in SSO Providers and toggle the Enabled setting off.
To remove an SSO provider entirely, Site Administrators must first modify all user accounts currently set to use that SSO provider and configure them to use another authentication method or provider. You can identify any users set to the provider by looking at the Authentication Method column of the user list. Once there are no users configured to authenticate with the provider, you can remove it.
Switching SSO Providers
Before starting your migration, confirm that the new identity provider is supported. Files.com integrates with most popular SSO providers; you can check the supported providers list.
Once you pick the new identity provider, follow the corresponding Files.com SSO integration documentation and enable the new SSO provider.
If you run into challenges migrating the configuration or users from Files.com to the new SSO provider, refer to the provider's support documentation.
For a SAML-based IdP, work with the SSO IdP to check whether the issuer, audience, and username combination can be reused.
For SCIM, configure the mappings and provisioning properly with the new SSO provider to avoid duplicate or disabled users in Files.com or in your user directory.
Once the new provider is set up and ready to use, edit each user's settings to set their Authentication method to the new provider.
Once all users are updated, disable the old SSO provider. All users can then start using your new SSO provider to log in to Files.com.
Using SSO with Parent and Child Sites
Each site's SSO providers apply only to the users who appear in the list of users for the site.
If a user belongs to a parent site, they authenticate through the SSO provider configured in the parent site, even when their access is limited to Child Site paths. You do not need to also configure the same SSO provider for any Child Sites the user has access to.
Configure SSO providers only on the site where your users are defined.
Using SSO with FTP, SFTP, or WebDAV
Single sign-on authentication can only be used with browser-based sessions or with the Files.com Desktop App.
If the user requires access to FTP, SFTP, or WebDAV connections, the authentication method must be set to Password or Active Directory/LDAP.
An alternative is for the user to use SSO and additionally add an SFTP key or an API Key to their user account.
Users can add their own keys in the web interface from My account in the top right menu.
Using SSO with the Files.com Desktop App
The Files.com Desktop App supports connecting with SSO user accounts. Follow the prompts to connect your account, and on the login screen click the SSO provider button assigned for that user.
Using SSO with the Files.com Mobile App
Files.com supports Single Sign-On (SSO) login with our iOS and Android mobile applications. To log in using SSO, select the SSO provider on the login screen and proceed.
Automating The Single Sign On Progress When Following a Link
To have the Files.com web application automatically send your users to an SSO Provider rather than displaying the login page, build a link on your external site that points to a URL on your files.com site with the URL parameter ?use_sso=1 appended.
For example, send someone a link to: https://mysite.files.com/files/MyFolder/?use_sso=1
This only works if you have exactly one SSO provider.