Secure your user logins with Single-Sign On (SSO)
SSO is an authentication that allows a user — someone who will write, edit, or send your series — to log in using just their email address and the click of a button. No password necessary! Implementing this integration allows for an easy sign on experience for employees with particular credentials, and provides security when off-boarding those you no longer wish to have access.
⭐ SSO requires an upgrade from the Essential Package. Review our packages here.
Why it matters: Security is important, and manually updating large lists of employees can be cumbersome. Requiring a login via SSO ensures that only employees with active company email addresses have access to Axios HQ.
🔍 How it works: Owners and admins can access SSO by by navigating to “Settings” > “Integrations”.
Table of Contents:
- Identify who has access to Axios HQ
- Providers we support
- Connecting SSO
- Customizing your connection
- Signing in to Axios HQ
- FAQ
- Common providers
1. Identify who has access to Axios HQ
Identify who on your team should have access to Axios HQ. We recommend provisioning an All Staff list in order to streamline the setup process.
- If you prefer a specific user pool, create a list of users who will be writing, editing, or sending series via HQ.
2. Providers we support
We partner with WorkOS to facilitate most of our integrations. You can find an introduction to WorkOS and their workflow here.
We support the following identity providers:
| AD FS SAML | Duo SAML | miniOrange SAML | React Native Expo |
| ADP OIDC | Firebase | NetIQ | Rippling SAML |
| Apple OAuth | Generic SAML | Okta SAML | Salesforce |
| Auth0 SAML | Google OAuth | OneLogin SAML | Shibboleth Generic SAML |
| Azure SAML | Google SAML | OpenID Connect | Shibboleth Unsolicited SAML |
| CAS SAML | JumpCloud SAML | Oracle SAML | SimpleSAMLphp |
| ClassLink SAML | Keycloak SAML | PingFederate SAML | VMWare SAML |
| Cloudflare SAML | LastPass | PingOne SAML | |
| CyberArk SAML | Microsoft OAuth |
When you are ready to set up Single Sign-on, you will follow instructions through the portal provided in the platform. Details for this workflow are found below.
If you'd like to review the steps you will be taking, check out the instructions for your specific provider here.
3. Connecting SSO
👉 Navigate to "Settings" > "Integrations". Then, locate "Single Sign-on," and click “Connect”
(You will be taken to a setup portal provided by WorkOS).
💡 Only org Owners and Admins have access to the "Integrations" tab.
If this view is not available to you, please request that an Owner or Admin in your organization adjust your permissions.
✅ Once in the portal, select your identity provider from the list and walk through the setup instructions for your provider.
🏁 When you complete the SSO setup, you will see the linked connection at "Settings" > "Integrations".
- You will be able to view and modify this connection by selecting the gear icon.
Remember, the way you configure your user groups within your SSO provider will determine who has access to the Axios HQ platform. If a user cannot log in with SSO, please check to ensure that they are correctly provisioned in these groups.
- We recommend setting up automatic provisioning, or connecting an All-Staff group within your identity provider, for your convenience.
4. Customizing your connection
Once your SSO connection is in place, you’ll have the ability to configure additional settings for this integration.
- SSO Optional and Required
- SSO Optional (our default setting): Allows users to sign in with either a password or SSO
- SSO Required: Allows users to sign in using only SSO
- Just-in-Time (JIT)/ Automatic provisioning
- Without JIT/auto-provisioning you will need to manually invite each new user to Axios HQ before they can log in (this is our default setting).
- When JIT/auto-provisioning is on, your HQ workspace is open to anyone designated within your SSO provider. As long as these individuals are provisioned for SSO, they will be able to log into Axios HQ on their own as a new user with default Member permissions (can create new series and can invite new users).
- With JIT/auto-provisioning turned on, an account will automatically generate for new users logging in with SSO, if one does not already exist for them.
To enable either of these settings, please reach out to help@axioshq.com.
5. Signing in to Axios HQ
With JIT/automatic provisioning turned off, your team will still need to be added to the HQ platform by an existing user.
- Invite additional users by selecting “Add user” on your Organization page, or adding a collaborator to a particular newsletter in that newsletter's Settings. Anyone within the organization can invite new members.
👉 Navigate to our login page and select "Log in with SSO". Then, enter your email address and click "Connect".
- Whoever you provision in the first step is who will have access to log into the platform. If you try to add a new user who has not been provisioned and you are set to SSO: Required, that user will not be able to access anything in Axios HQ.
- Being unable to sign in can be frustrating for users, and often results in a support ticket with HQ and ultimately your IT team.
- Remove the possibility of interruption by provisioning an All Staff list instead. Users still need to be invited to collaborate on a newsletter, so you will have control over who has access to the platform based on their HQ credentials.
6. FAQ
What can I do if users are seeing an Axios HQ error message when trying to log into the platform?
Please ensure that an account has been created for the user on our platform, then ask them to try logging in via SSO again. Without JIT provisioning enabled, an HQ account must be manually created for each user.
Does Axios HQ support automatic de-provisioning/removal of users?
No. At the moment, Axios HQ does not support automatic de-provisioning of users; however, with SSO set to "required", users who have been removed from the SSO user pool within your identity provider will not be able to log into our platform.
Users are seeing an error with no Axios HQ branding when logging in. What can I do about this?
Error messages that do not include Axios HQ branding indicate an issue related to the setup within the identity provider. Please ensure that the user has been provisioned for SSO for this connection to resolve this.
How do I generate a new new X.509 Certificate?
You should be able to navigate to the section where the certificate was initially generated within the IdP application to generate a new certificate.
Does Axios HQ redirect a user’s browser to the IdP to terminate the session when a user signs out?
No. Axios HQ does not redirect a user’s web browser to the IdP to terminate the session when a user signs out.
What federation standards does Axios HQ support?
Axios HQ (via WorkOS) supports SAML 2.0 and OpenID connect (OIDC).
Does Axios HQ support IdP-initiated and/or SP-initiated SSO connections?
Axios HQ (via WorkOS) supports both IdP-initiated and SP-initiated SSO connections.
For SP-initiated SSO connections, does Axios HQ include the Assertion Consumer Service URL in the SAML request?
Yes. Axios HQ (via WorkOS) includes the AssertionConsumerServiceURL in the SAML requests.
What attributes are required for this SSO connection?
The required attributes for SSO are id, email, firstName, and lastName. These attributes must be in a string format.
7. Common providers
Entra ID / Azure & Okta
-
If you're using either of these providers for both SSO and Directory Sync, we recommend you create two separate Enterprise Applications for Axios HQ in order to separate these member pools.
OneLogin
- You may want to make use of OneLogin’s SAML Custom Connector, which enables you to launch HQ from your OneLogin dashboard, bypassing the SSO login screen on HQ.
- If you run into an issue related to the login bypass not occurring (getting redirected back to the login screen), please change the SAML Initiator to OneLogin (not Service Provider) in your OneLogin settings.
WorkOS' documentation on OneLogin may be a helpful troubleshooting reference.