Setting Up SSO (Single Sign-On)

This guide walks you through configuring SAML SSO for your Foyer organization. SSO lets your staff sign in through your company's Identity Provider instead of managing a separate Foyer password.

Requirements:

• Foyer Ultimate plan or above
• Admin access to Foyer
• Admin access to your Identity Provider

Step 1: Get Your Foyer Service Provider Details

1. Go to Org Settings * Single Sign-On (SSO)
2. Expand Service Provider Details
3. Copy these two values - you'll need them in your IdP:
4. • Entity ID (Audience URI) - looks like https://usefoyer.com/saml/<your-org-id>
   • Reply URL (ACS) - looks like https://yourorg.usefoyer.com/saml/acs/<your-org-id>

Step 2: Configure Your Identity Provider

Choose your IdP below for specific instructions.

Microsoft Entra ID (Azure AD)

1. Sign in to the Entra Admin Center
2. Go to Identity * Applications * Enterprise applications
3. Click New application * Create your own application
4. Name it "Foyer" and select "Integrate any other application you don't find in the gallery (Non-gallery)"
5. Click Create
6. In the app's sidebar, click Single sign-on * select SAML
7. Under Basic SAML Configuration, click Edit:
8. • Identifier (Entity ID): Paste the Entity ID from Foyer
   • Reply URL (Assertion Consumer Service URL): Paste the Reply URL (ACS) from Foyer
   • Click Save
8. Under Attributes & Claims, click Edit:
9. • Ensure the Unique User Identifier (Name ID) is set to user.mail (email format)
   • Optionally add claims for user.givenname and user.surname (used for JIT provisioning):
   • • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname * user.givenname
     • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname * user.surname
9. Under SAML Certificates, download Certificate (Base64)
10. Under Set up Foyer, copy:
11. • Microsoft Entra Identifier - this is your IdP Entity ID
    • Login URL - this is your IdP SSO URL
11. Assign users: Go to Users and groups * Add user/group and assign the staff who should have access

Okta

1. Sign in to your Okta admin dashboard
2. Go to Applications * Create App Integration
3. Select SAML 2.0 and click Next
4. App name: "Foyer", click Next
5. Under SAML Settings:
6. • Single sign-on URL: Paste the Reply URL (ACS) from Foyer
   • Audience URI (SP Entity ID): Paste the Entity ID from Foyer
   • Name ID format: EmailAddress
   • Application username: Email
6. Optionally add attribute statements:
7. • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname * user.firstName
   • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname * user.lastName
7. Click Next, then Finish
8. On the app's Sign On tab, under SAML Signing Certificates, click Actions * View IdP metadata. From the metadata:
9. • Copy the entityID - this is your IdP Entity ID
   • Copy the SingleSignOnService Location URL - this is your IdP SSO URL
   • Copy the X509Certificate content - this is your IdP Certificate
9. Under the Assignments tab, assign users or groups who should have access

Google Workspace

1. Sign in to Google Admin Console
2. Go to Apps * Web and mobile apps * Add app * Add custom SAML app
3. Name it "Foyer" and click Continue
4. On the Google Identity Provider details page, copy:
5. • SSO URL - this is your IdP SSO URL
   • Entity ID - this is your IdP Entity ID
   • Certificate - download this, it's your IdP Certificate
5. Click Continue
6. Under Service provider details:
7. • ACS URL: Paste the Reply URL (ACS) from Foyer
   • Entity ID: Paste the Entity ID from Foyer
   • Name ID format: EMAIL
   • Name ID: Basic Information > Primary email
7. Optionally add attribute mappings:
8. • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname * First name
   • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname * Last name
8. Click Finish
9. On the app page, click the User access section and turn ON access for the organizational units that should use Foyer

Other SAML 2.0 Providers

Foyer works with any Identity Provider that supports SAML 2.0. You need three things from your IdP:

• IdP Entity ID (also called Issuer)
• IdP Login URL (also called SSO URL or Single Sign-On Service URL)
• X.509 Certificate (the signing certificate in Base64/PEM format)

Configure your IdP with Foyer's Entity ID and ACS URL, set the Name ID format to email, and you're good to go.

Step 3: Complete Setup in Foyer

1. Back in Org Settings * Single Sign-On (SSO), expand Identity Provider Configuration
2. Paste in:
3. • IdP Entity ID (Issuer) from your IdP
   • IdP Login URL from your IdP
   • X.509 Certificate from your IdP
3. Click Save
4. Click Enable SSO

Your staff will now see a "Sign in with SSO" button on the login page.

Step 4: Configure Policies (Optional)

Under the Policies section you have two additional options:

Require SSO for all staff - When enabled, staff can only sign in through SSO. Password login is completely disabled for staff accounts. Clients are not affected.

Auto-create accounts on first login (JIT Provisioning) - When enabled, staff who sign in via SSO for the first time will automatically get a Foyer account created. You can set their default role to Staff or Admin. This means you don't need to invite each person individually in Foyer - just assign them in your IdP.

Troubleshooting

"SSO is not configured for this organization" - Make sure you've clicked "Enable SSO" after saving your IdP configuration.

"No account found for this email" - The email address in your IdP doesn't match any staff account in Foyer. Either invite them first, or enable JIT Provisioning to auto-create accounts.

SAML validation errors - Double check that:

• The ACS URL in your IdP exactly matches what's shown in Foyer (including the protocol and trailing path)
• The certificate was copied completely (including the BEGIN/END lines if present)
• Your IdP is sending the email address as the Name ID

Staff don't see the SSO button - The SSO button only appears after a staff member enters their email on the login page. It won't show for clients or guest accounts.

Certificate Rotation

When your IdP's signing certificate is about to expire:

1. Add the new certificate as the Secondary Certificate in Foyer
2. Update the certificate in your IdP
3. Once confirmed working, move the new certificate to the primary field and clear the secondary

This ensures zero downtime during rotation - Foyer will accept signatures from either certificate during the transition.

FAQ

Does SSO affect my clients? No. SSO is for staff accounts only. Client login is completely unchanged.

Can staff still use passwords when SSO is enabled? Yes, unless you turn on "Require SSO for all staff". Without enforcement, staff see both the SSO button and the password field.

What happens if my IdP goes down? If you have not enforced SSO, staff can still log in with their password. If SSO is enforced, staff will not be able to log in until your IdP is restored. Consider keeping at least one admin account with password access for emergency scenarios.

Can I use SSO with a custom domain? Yes. If your org uses a custom domain, the ACS URL will reflect your custom domain automatically.