Single sign-on (SSO) lets your team log into FirstPromoter using the same credentials they use for the rest of your company's tools, managed through your identity provider (IdP).
FirstPromoter supports SAML 2.0, an open XML-based standard for passing authentication data between an identity provider and a service provider. Common identity providers include Okta, Google Workspace, Microsoft Entra ID, and OneLogin.
SSO applies to team members accessing the admin portal only. Affiliate logins are not affected.
Please note: SSO is available on the Enterprise plan. If you don't see the SSO section in your settings, contact support to have it enabled on your account.
General setup
This setup involves two sides: configuring an application in your identity provider and entering the resulting values into FirstPromoter. We recommend having an IT administrator handle the identity provider side.
In your FirstPromoter account, go to Settings → SSO. You'll find your service provider details here; you'll need these when configuring your IdP.
Note the following values from the settings page; you'll need these when configuring your identity provider:
Entity ID: a read-only URL unique to your account
ACS URL: a read-only URL where your IdP will post the SAML response
Both fields have a copy button next to them.
In your identity provider, create a new SAML 2.0 application. You may need to refer to your IdP's documentation, as the field names may vary; however, you'll generally need to provide the following:
The ACS URL (sometimes called Single Sign-On URL, Reply URL, or Assertion Consumer Service URL)
The Entity ID (sometimes called Audience URI, Identifier, or SP Entity ID)
NameID format set to
emailAddressthe value sent must be the user's email address
Check your IdP's SAML documentation for provider-specific instructions:
Once you've saved the application in your IdP, collect the following and paste them into the corresponding fields in Settings → SSO:
Identity Provider Single Sign-On URL
Identity Provider Entity ID
X.509 Certificate — paste the full PEM contents, including the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----lines. You can also click Upload to upload a certificate file directly.
Click Connect.
Toggle SSO enabled on. Team members can now use Continue with SSO on the login page. Password login continues to work alongside SSO unless you enforce it.
Permissions required: SSO is available on the Enterprise plan. Also only Super Admins and admins with settings access can configure SSO.
Error codes
Error | Meaning |
| The assertion signature is invalid. Check that your certificate matches what your IdP is sending, and that the ACS URL in your IdP matches exactly. |
| The same assertion was submitted more than once — usually caused by a redirect loop or browser back navigation. |
| No team member with that email exists in FirstPromoter. Invite them first, or verify the email matches exactly. |
| The team member's account is deactivated. Reactivate it to restore access. |
Require SSO for all users
Once SSO is working, you can disable password login and require everyone to authenticate through your IdP.
Go to Settings → SSO.
Turn on the Enforce SSO for all team members toggle and click Connect.
With enforcement on, password login and Google sign-in are both disabled, and the login page will only show the SSO option.
Remove SSO
Go to Settings → SSO and click Delete. SSO is disabled immediately. If enforcement was on, password login is restored for all team members automatically.