SSO Limitations & Requirements
Overview
Single Sign-On (SSO) allows organizations to authenticate users through their identity provider rather than using RedFlag email/password credentials. Before enabling SSO, it is important to understand several platform requirements and limitations that affect how users and locations are configured.
These requirements apply to both OpenID Connect (Microsoft Entra ID) and SAML-based SSO integrations.
SSO Applies to All Users at the Location
When SSO is enabled for a location, all users must authenticate through the configured identity provider.
RedFlag does not support a mix of authentication methods within the same location.
This means:
- Users cannot log in using email and password created within RedFlag
- All users must authenticate using SSO
- User access must be managed through your identity provider
If a user is not provisioned through the identity provider, they will not be able to access the location.
OpenID Connect (Microsoft Entra ID) Tenant Restrictions
When using OpenID Connect with Microsoft Entra ID, each RedFlag location must be associated with a single Microsoft tenant. Only one OIDC identity provider can be connected per location — you cannot mix or chain multiple OIDC providers for a single location.
Additionally, a single Microsoft tenant cannot be used to access multiple RedFlag locations. Each location requires its own dedicated tenant connection. This means:
- One OIDC identity provider per location
- Each location must be linked to its own Microsoft tenant
- A single tenant cannot be shared across multiple RedFlag locations
Organizations that manage multiple RedFlag locations across different tenants must configure SSO separately for each location.
SAML Identity Provider Restrictions
When using SAML-based SSO, each RedFlag location is configured with a single SAML identity provider. You cannot connect multiple SAML IdPs to a single location or mix and chain multiple IdPs. This means:
- One SAML IdP per location
- You cannot mix or chain multiple IdPs for a single location
Unlike OpenID Connect, however, SAML does support multi-location access for users. If users require access to multiple RedFlag locations, your identity provider can be configured to include multiple tenant IDs in the SAML assertion — one for each location the user is authorized to access. This means:
- The SAML assertion can include multiple tenantid values
- Each tenant ID corresponds to a RedFlag location the user is authorized to access
Planning Considerations
Before enabling SSO, organizations should confirm:
- Which authentication method will be used (OpenID Connect or SAML)
- Which users require access to each RedFlag location
- Whether users need access to multiple locations
- Whether each location has its own dedicated Microsoft tenant (required for OpenID Connect)
Because SSO replaces standard RedFlag authentication, user access and lifecycle management must be maintained through the organization’s identity provider.