Single Sign-On (SSO) Login
Safeguard your organization’s Workspace with Single Sign-On (SSO).
Single Sign-On (SSO) is a password-authentication strategy that simplifies the authentication process by allowing users to log in once with a single set of credentials. Webflow customers on Enterprise Workspace plans can enable SSO on their Workspace so all Workspace members can log in via an Identity Provider (IdP).
Note: SSO is only available for customers on Enterprise Workspace plans.
In this article, you’ll learn:
What is SSO?
Single Sign-On (SSO) authentication is a password-authentication strategy that allows users to securely access multiple related applications or systems with a single set of credentials.
The primary benefit of SSO is that it gives organizations centralized control over who has access to their systems and the level of access each individual has. SSO simplifies team members’ experiences, reduces password fatigue, and improves organization security.
SSO considerations
Team members must be provisioned with access to Webflow from your IdP before they can use SSO.
Note: Although SSO is not supported for the Editor, content editors can log in via SSO as Workspace members with access to edit mode in the Designer.
SSO enforcement
SSO is available on Webflow as either an optional or required sign-on method. When SSO is optional, Workspace members can sign in to your Workspace via IdP or with standard login credentials. When SSO is required, Workspace members must be authenticated via IdP before they can access your Workspace. Workspace members will still be able to access their personal Workspace with standard login credentials.
If some Workspace members have different email domains not managed through your IdP (e.g., freelancers, agencies, etc.), we recommend setting SSO to optional. This ensures they can continue to log in to your Workspace with standard login credentials. Workspace guest sign-on is not affected by SSO settings.
Just-in-time (JIT) provisioning
Just-in-time (JIT) provisioning is a user management approach in which accounts are created dynamically at the moment of user authentication. Webflow SSO can optionally support JIT provisioning to help you automate account creation and Workspace access.
To prevent unauthorized team members from being automatically added to your Workspace, it’s best practice to pair JIT provisioning with SSO enforcement. Until your IT team grants them Webflow access through your IdP, unauthorized users receive an error message indicating they do not have access to the Workspace and should reach out to your company admin.
When JIT provisioning is enabled, the following occurs when a new Webflow user with your SSO email domain logs into Webflow via SSO:
- Webflow automatically creates a user account for them, if it doesn’t already exist
- This user is automatically invited to your Workspace and assigned a seat, if they aren’t already a member. If there are no available seats in your Workspace, they will receive an error message indicating they do not have access to the Workspace and should reach out to your company admin
Deprovisioning
When a user’s access to Webflow has been revoked from your IdP, they won’t be able to access Webflow through SSO. Because Webflow does not support directory sync or system for cross-domain identity management (SCIM) at this time, your Workspace Owner or Admin should also remove the user from your Webflow Workspace to free up their seat after their access has been revoked from your IdP.
Supported SSO configurations
Supported IdPs
Webflow only supports OAuth and SAML connections at this time. Please contact our Enterprise sales team to confirm support for your IdP.
How to set up SSO
Webflow’s Customer Success teams will provide customized SSO setup instructions for customers on Enterprise Workspace plans. If you’ve completed your kickoff call but haven’t received SSO setup instructions, please contact your Customer Success Manager or Technical Architect to get started.