Single Sign-On (SSO) Login

We’re transitioning to a new UI, and are in the process of updating our Webflow University content.

Single Sign-On (SSO) is a password-authentication strategy that simplifies the authentication process by allowing users to log in once with a single set of credentials. Webflow customers on Enterprise Workspace plans can enable SSO on their Workspace so all Workspace members can log in via an Identity Provider (IdP).

Note: SSO is only available for customers on Enterprise Workspace plans.

In this article, you’ll learn:

What is SSO?

Single Sign-On (SSO) authentication is a password-authentication strategy that allows users to securely access multiple related applications or systems with a single set of credentials.

The primary benefit of SSO is that it gives organizations centralized control over who has access to their systems and the level of access each individual has. SSO simplifies team members’ experiences, reduces password fatigue, and improves organization security.

SSO considerations

Team members must be provisioned with access to Webflow from your IdP before they can use SSO. Note that we don’t set roles and permissions based on user groups in your IdP, but you can assign and revoke (i.e., provision and deprovision) access to Webflow via user groups.

Note: Although SSO is not supported for the Editor, content editors can log in via SSO as Workspace members with access to edit mode in the Designer.

SSO enforcement

SSO is available on Webflow as either an optional or required sign-on method. When SSO is optional, Workspace members can sign in to your Workspace via IdP or with standard login credentials. When SSO is required, Workspace members must be authenticated via IdP before they can access your Workspace. Workspace members will still be able to access their personal Workspace with standard login credentials.

If some Workspace members have different email domains not managed through your IdP (e.g., freelancers, agencies, etc.), we recommend setting SSO to optional. This ensures they can continue to log in to your Workspace with standard login credentials. Workspace guest sign-on is not affected by SSO settings.

Just-in-time (JIT) provisioning

Just-in-time (JIT) provisioning is a user management approach in which accounts are created dynamically at the moment of user authentication. Webflow SSO can optionally support JIT provisioning to help you automate account creation and Workspace access.

To prevent unauthorized team members from being automatically added to your Workspace, it’s best practice to pair JIT provisioning with SSO enforcement. Until your IT team grants them Webflow access through your IdP, unauthorized users receive an error message indicating they do not have access to the Workspace and should reach out to your company admin.

When JIT provisioning is enabled, the following occurs when a new Webflow user with your SSO email domain logs into Webflow via SSO:

Webflow automatically creates a user account for them, if it doesn’t already exist
They are automatically invited to your Workspace and assigned a seat, if they aren’t already a member. If there are no available seats in your Workspace, they will receive an error message indicating they do not have access to the Workspace and should reach out to your company admin

Deprovisioning

Deprovisioning is the process of removing a user’s access to various applications and resources once they no longer require them, such as when they change roles or leave an organization. Webflow SSO can optionally support automatic deprovisioning to help you automate user management and Workspace access. This process ensures that former employees or users do not retain access to sensitive systems, thereby enhancing security and compliance.

When deprovisioning is enabled, the following occurs when a Workspace member’s access is revoked from your IdP:

They lose access to your team Workspace (until re-invited or re-provisioned). If they attempt to log into your team Workspace via SSO, they will receive an error message indicating they do not have access to the Workspace and should reach out to your company admin
They are removed from your Workspace members list, leaving their Workspace seat empty and available for a new Workspace member
They retain access to their personal Workspace and any other Workspaces they belong to, if any

Supported SSO configurations

Configuration Workspace(s) Domain(s) Identity Providers (IdP) Supported by Webflow?

“Standard” 1 Workspace 1 domain in 1 Workspace 1 IdP organization for 1 domain Yes

“Multi-domain” 1 Workspace Multiple domains in 1 Workspace 1 IdP organization for all domains Yes

“Multi-Workspace” Multiple Workspaces 1 domain across all Workspaces 1 IdP organization for all domains Yes

“Multi-IdP per customer” Multiple Workspaces Multiple domains (1 per Workspace) Multiple IdP organizations (1 per domain and per Workspace) Yes

“Multi-IdP per Workspace” 1 Workspace 1 or multiple domains Multiple IdP organizations for 1 Workspace No

Supported IdPs

Webflow only supports OAuth and SAML connections at this time. Please contact our Enterprise sales team to confirm support for your IdP.

How to set up SSO

Webflow’s Enterprise Support or Customer Success teams provide customized SSO setup instructions for customers on Enterprise Workspace plans. If you’ve completed your kickoff call but haven’t received SSO setup instructions, or if you need to make any changes (such as enabling auto-provisioning or deprovisioning) to your existing SSO setup, please contact Enterprise Support or your Customer Success Manager to get started.

Safeguard your organization’s Workspace with Single Sign-On (SSO).

Note: SSO is only available for customers on Enterprise Workspace plans.

What is SSO?

SSO considerations

Note: Although SSO is not supported for the Editor, content editors can log in via SSO as Workspace members with access to edit mode in the Designer.

SSO enforcement

Just-in-time (JIT) provisioning

Deprovisioning

Supported SSO configurations

Supported IdPs

How to set up SSO

Table of contents

Continue learning

Convert elements

Figma to Webflow App

Add a Spline scene to your Webflow site

Add or remove Workspace seats and members

Align box overview

Archive a site

Archive your Workspace

Asset privacy

Build a locale switcher

Canvas settings

Choose a Site plan

Choose a Workspace plan

Code block

Component properties

Copyright (DMCA) Takedown Notice

Create static page templates

Create your Workspace

Custom CSS properties and values

Custom element

Custom gradient border

Delete Collections

Delete your Webflow account

Downgrade or cancel your Site plan

Downgrade or cancel your Workspace plan

Duplicate a site

Import/export 301 redirects

Integrate the HubSpot App

Keep your Webflow account secure

Learning Assistant

Localization overview

Localize Collection content

Localize content and styles

Localize page settings

Localized SEO and locale routing

Manage add-ons

Nest components

Pointer events

Proration and refunds on Workspace and Site plans

Save and publish Collection items

Set a global canonical tag to improve SEO

Site-specific access

Slots

Switch between Workspaces

Switch your Workspace or Site plan billing frequency

Transfer a site

Update your Dashboard notification settings

Update your email subscription settings

Update your text notification settings

Updates to our Site & Workspace plans for July 2024

Upgrade your Site plan

Upgrade your Workspace plan

Upload an Apple associated domain file

Use components in Collection lists and Collection pages

Variables

View all invoices for Workspace and Site plans

View and update your payment card

View your account security activity

Workspace billing and invoices

Workspace settings overview

Edit mode

Manually connect a custom domain

Manually connect a custom subdomain

Quick connect a custom domain

Quick connect a custom subdomain

Webflow Apps overview

Publishing workflow