Skip to content

Okta & SAML SSO

Single Sign-On (SSO) is an authentication scheme that allows users to log in and access multiple platforms with a single identity provider account. You can configure SAML Single Sign-On (SSO) to log in to your Afi account with third-party identity providers like Okta, JumpCloud, OneLogin, Ping Identity, Duo, or Auth0.

Afi SAML/Okta authentication configuration is managed under the Service → Settings → SAML/Okta tab. Please follow the instructions from this guide to set up SAML SSO authentication with Okta or check out our generic SAML SSO integration guide for any other identity provider.

Info

Since SAML SSO authentication with a third-party identity provider doesn't rely on Google Workspace or Microsoft 365, you can set up SAML SSO authentication to ensure that you can access your Afi account and backups even if you lose access to your Google Workspace or Microsoft 365 tenant, as well as when Google or Microsoft 365 are temporarily unavailable due to an incident.

Upon SAML SSO configuration, your SAML connector (application) on the identity provider side is linked to your Microsoft 365 or Google Workspace tenant on the Afi side where the SAML integration is configured. During SAML authentication, Afi will locate a tenant that corresponds to your connector and will map the identity provider user who is performing authentication to the Microsoft 365 or Google Workspace user from the Afi tenant.

On the Afi side, users within a Microsoft 365 or a Google Workspace tenant are provisioned automatically during periodic resource synchronizations with the data source (Microsoft 365/Google). Please note that while user provisioning is automatic, Afi access model is fully explicit, and newly provisioned users are not automatically granted any access to the Afi portal, unless self-service or group-based access settings are configured on the Afi side.

Since periodic resource synchronizations with the data source are performed once per 24 hours, in rare cases, there might be a situation where an identity provider user has just been created, but there is no corresponding user account yet on the Afi side. If this happens, an Afi account administrator needs to manually trigger a resource synchronization by clicking on the wheel icon in the top-right corner of the ServiceProtection tab in the Afi portal.