Identity provider initiated single sign-on is a workflow whereby the user authenticates themselves into the identity provider and then goes to Templafy. This is contrary to the normal authentication flow that starts by going to the Templafy tenant and then being redirected to the SSO provider. Templafy supports IdP Initiated SSO but with some limitations.
To enable IdP initiated SSO with OpenIDConnect, ensure that the AzureAD app has been installed by following our setup guide: https://support.templafy.com/hc/en-us/articles/206801909-How-to-setup-SSO-with-Azure-AD-OpenID-Connect-Standard-setup-
Once the app has been installed then under properties set the option "Visible to users?" to "Yes" and assign the relevant users to the application. The users must be assigned to the application even if "User assignment required?" is set to "No".
Templafy will now show up in the users' applications on https://myapplications.microsoft.com if they have been assigned to the application.
Due to the fact that OpenIDConnect doesn't provide for a sign on URL like SAML2 then the sign-in redirect will point to https://app.templafy.com. If the user hasn't been provisioned into a Templafy tenant then the user won't have an associated tenant. This will result in them not being directed to the tenant, even if they enter their email. The solution is provisioning them beforehand, this can be achieved by directing them to the tenant by other means such as an email with a link(yourcompanyname.templafy.com) or automatically by using SCIM. Once they have been provisioned then https://app.templafy.com will automatically detect their associated tenant and redirect them.
SAML2 allows the defining of a sign on URL, that means that if SAML2 is setup properly then IdP initiated sign on will automatically redirect to the correct tenant in which case the user will either be provisioned or authenticated.
Article is closed for comments.