Skip to main content

Overview

Single Sign-On lets team members sign in to VisaFlo with a corporate identity provider. The current settings UI supports Microsoft Entra ID. Owners can enable SSO, link their own account, configure a hosted SSO page, and disable SSO. Use this guide when setting up SSO for a workspace or validating that team members can sign in from a shared SSO URL.

Before you start

  • You must be an owner in VisaFlo.
  • Create or open the SSO application in Microsoft Entra ID.
  • Have the application Client ID, Tenant ID, and Client Secret ready.
  • Be ready to add VisaFlo redirect URIs to the SSO application.
  • Plan a short test window before inviting the full team.

Enable SSO

  1. Go to Settings > SSO.
  2. Choose Microsoft Entra ID (Azure AD) as the identity provider.
  3. Enter the Client ID.
  4. Enter the Tenant ID.
  5. Enter the Client Secret.
  6. Click Enable SSO.
After SSO is enabled, VisaFlo shows the provider, provider ID, client ID, tenant ID, and redirect URI values. The SSO settings page showing the configured provider details and redirect URI section. The documentation capture uses non-secret placeholder identifiers.

Register redirect URIs

After enabling SSO, copy the redirect URI values shown in VisaFlo. Add the displayed Web redirect URI and Single-page Application redirect URI to your Microsoft Entra application. These values must match the current VisaFlo environment and domain. The owner should link their own VisaFlo account before sharing the SSO page with the team.
  1. In Settings > SSO, find Link Your Account.
  2. Click Link My Account with SSO.
  3. Choose the matching corporate account in the popup.
  4. Confirm the linked account email matches the VisaFlo account email.
Once linked, the panel shows the linked provider email. You can unlink the account from the same panel if needed.

Configure the SSO page

After the owner account is linked, configure the hosted SSO page.
  1. Enter an SSO URL Slug using lowercase letters, numbers, and hyphens.
  2. Upload a PNG or JPEG logo up to 5MB if you want a branded SSO page.
  3. Review the generated /sso/{slug} link.
  4. Click Save changes.
Share this hosted SSO link with team members who should sign in through SSO. Hosted SSO page with the Microsoft Entra ID sign-in action. SSO invitation links use /sso-link?token=.... When a team member opens the link, VisaFlo inspects the token, loads the workspace SSO configuration, signs in through the identity provider, and completes account linking. If the invitation link is invalid or expired, generate a fresh invitation from the team management flow.

Disable SSO

Only owners can disable SSO.
  1. Go to Settings > SSO.
  2. Click Disable SSO.
  3. Confirm the action.
Disabling SSO affects team members who currently use SSO to sign in. Confirm alternate access before disabling it.

Troubleshooting

If SSO is unavailable on the hosted page, confirm the SSO configuration exists for the company or slug. If the popup closes or is blocked, allow popups for VisaFlo and try again. If linking fails because the email does not match, sign in to the corporate account that uses the same email as the VisaFlo user. If redirect errors appear, compare the redirect URIs shown in VisaFlo with the URIs registered in Microsoft Entra ID. If only some users are affected, inspect whether their invitation token is expired and whether their corporate email matches their VisaFlo member email.