Set up Single Sign-On (SSO)

Single Sign-On (SSO) allows your employees to securely log in to 15Five using one set of credentials for multiple systems. This simplifies onboarding, enhances security, and reduces the need for multiple passwords.

What you’ll find in this article:

• Before you begin
• Setup SSO in 15Five
• Test your SSO configuration
• Manage SSO
• Disconnect SSO
• Troubleshooting and FAQs

---

🛠️ Before you begin

To set up SSO (SAML 2.0) in 15Five, you’ll need a few details from your Identity Provider (IdP).

From your IdP:

• XML Metadata file or URL

From 15Five:

• 15Five Metadata URL / Entity ID: https://<your-subdomain>.15five.com/saml2/metadata/

• 15Five ACS URL: https://<your-subdomain>.15five.com/saml2/acs/

• 15Five Service URL: https://<your-subdomain>.15five.com/

---

🚀 Set up SSO in 15Five

1. Go to the SAML Single Sign-On page.

   • Navigate to Company Settings → SAML Single Sign-On page in 15Five.

   • If you don’t have access, please Contact Us.

2. Set your company subdomain.

   • Your subdomain is typically your company name or abbreviation.

   • It must be all lowercase, contain no spaces or special characters, and be unique.

   • Click Save to continue.

3. Add Metadata and contact details.

   • Enter your IdP’s XML Metadata or URL.

   • Add an SSO contact email (usually your IT admin).

   • Check Automatically update metadata if you want 15Five to sync metadata updates automatically. Doing so will allow 15Five to automatically update your metadata if changes are made, rather than updating the metadata manually.

   • Click Save.

4. Configure your SAML attributes and settings.
   

   Setting	Description
   SAML Single Sign-On Enabled	Turns SSO on for your account.
   Allow Password Sign In	Lets employees sign in using email + password as well as SSO. Recommended during testing.
   Allow IdP Initiated Login	Allows users to log in from your IdP dashboard.
   Allow Auto Login	Automatically signs users in through your IdP if already authenticated. Only works if password sign-in is off.
   Allow Creation of New Users (JIT Provisioning)	Automatically creates new 15Five accounts when users with access in your IdP log in.
   Require Reviewer Selection	Prompts employees to choose their reviewer the first time they sign in—only shown if reviewer data isn’t sent from your IdP. Most companies leave this off.

   ⚠️ Important:
   Just-in-Time (JIT) provisioning is not recommended when:

   • The Name ID is set to “Email,” or

   • You use another integration like SCIM or an HRIS.
     These setups can create duplicate accounts or conflicts.
     

5. Set attribute mappings.

   • Check your IdP’s attribute mappings for accuracy.

   • The Name ID Contents and Email attribute name fields are required.

   • If Name ID Contents is set to Not Used, you must fill in the Employee ID attribute name field.

   • To sync reviewers, add reviewer info under Reviewer Attributes (only if SCIM or another HRIS integration is not used).

   • Click Save when done.

If you would like the employee’s reviewer to sync to 15Five, and you do not use another integration with 15Five like SCIM or another HRIS, then you would put the reviewer information under the ‘Reviewer Attributes’ section. Make sure to click Save!

If you need some guidance, Contact Us with your attribute mappings and we're happy to help.

---

Test your SSO configuration

1. Log out of 15Five.

2. Go to https://<your-subdomain>.15five.com.

3. Click Sign in using Single Sign-On.

4. Complete any additional login steps through your IdP (e.g., Okta, OneLogin).

5. You should be redirected to 15Five and automatically logged in.

---

⚙️ Manage SSO

Control employee access

Grant or remove access through your IdP’s provisioning screens.

• If an employee isn’t assigned to 15Five in your IdP, they’ll see a 403/400 permissions error when trying to log in.

Create employee accounts

SSO doesn’t create accounts automatically unless JIT provisioning is enabled.
You can also:

• Invite employees manually

• Upload via bulk import

• Use SCIM or HRIS integrations to auto-create accounts

Update employee emails

If your Name ID attribute is set to:

• User ID / or is Not Used: Updates in your IdP will sync to 15Five the next time the employee logs in.

• Email: Update the email in both 15Five and your IdP before the employee logs in with the new address. It is imperative that you update their email in 15Five so that the emails match. Otherwise, your employee will not be able to access the platform since the email we have in 15Five does not match what has access in your IdP. If you have JIT enabled and Email set as the ‘Name ID' attribute, it is important to update the emails before making the change in your IdP (or at least before an employee tries to log in with the new email address.) You can perform a bulk update if you are doing a larger update, such as company-wide domain changes.

💡 For large-scale email changes (like a domain migration), use bulk import to update emails efficiently.

Deactivate or remove access

• Remove the 15Five app from the employee’s permissions in your IdP.

• Then deactivate their 15Five account manually, via bulk import, or through SCIM/HRIS if enabled.

⚠️ If Allow Password Sign In is enabled, active employees can still log in using password reset.

---

❌ Disconnect SSO

If you no longer want SSO enabled:

1. Go to Company Settings → SAML Single Sign-On.

2. Uncheck SAML Single Sign-On Enabled.

3. Click Save.

Employees will need to log in using their email and password.
If they haven’t set a password before, they can click Forgot password to create one.

---

🧩 Troubleshooting and FAQs

Can I get locked out during setup?
During your configuration of SSO, password login will still be an option. You will be able to login using both SSO and email+password until you explicitly shut off the option to log in with an email+password.

If I set up SSO today, will people be able to log in immediately?

Yes. As soon as SSO is integrated, people will be able to log in.

How is OAuth 2 different from SSO/SAML?

SAML is an authentication protocol, OAuth 2.0 is not. This means that OAuth 2.0 and SAML cannot be thought of as equal. OAuth 2.0 does not pass attributes about a user who has just authenticated. On top of that, Just-In-Time (JIT) provisioning is independent of SAML and not part of the SAML protocol specifications. The fact that SAML sends across user attributes in an assertion can be leveraged to implement a JIT provisioning system on top of, but that is a local implementation choice, not a SAML feature. One could build the same JIT system on top of OpenID Connect, which is a user authentication protocol built on top of OAuth 2.0. That would be comparable to JIT with SAML. (https://stackoverflow.com/questions/29885675/oauth-2-custom-attributes-like-saml#29894429). We do use OpenID Connect. We do not offer JIT provisioning with OpenID connect.

Can a user log on with their local password after SSO is enabled?

Account admins have control over whether their people can log in with email+passwords once SSO is enabled. There is a setting (checkbox) that appears during SSO set up. If you would like to allow people to continue using their original passwords set up with 15Five in addition to SSO, leave the 'Allow Password Sign In' box checked.

Does 15Five provide an SSO service?
No. 15Five supports SSO integrations but does not act as an Identity Provider (IdP).

If I do a tiered roll-out of 15Five, how do I ensure that the entire organization doesn't receive email invites when I set up SSO?

SSO does not provision users (does not create anyone's 15Five account) automatically. A user can sign in to 15Five with SSO using just-in-time provisioning. You can make sure the entire organization doesn’t receive email invites via the checkbox on the CSV bulk import or, if SCIM is on - there is a checkbox you can shut off there.

Does SSO put people's job titles in 15Five automatically?

It can put people’s job titles into 15Five if the attribute is set, but not automatically. A user would have to sign in to 15Five. SCIM 2.0 could do this automatically.

When does 15Five update user attributes via SSO?

When the user logs in, the information is updated.

Does OAuth go away if you set up SSO?

Yes.

Can SAML 2.0 be used with any SSO/IdP?

No, just SSO/IdPs that use SAML 2.0. It’s standard, so it should be most.

How can I tell if SSO is passing the Manager/Reviewer information?

The Reviewer information will be determined if you’ve included it in the ‘Review Email Attribute.’ If you have SCIM or another HRIS integration enabled, then this integration will pass the update, not SSO.

No user information is being sent from ADFS or Azure AD to 15Five. Why is the information not updating properly?

If no user attributes/information is being sent from ADFS or Azure AD to 15Five, make sure the below rules are configured on the ADFS/ Azure AD side:

I’m having an issue with ADFS. There is an error when attributes do match. How do I fix this error?

Typically this is an issue with the Transform rule. Create a normal rule for email and then a transform rule that transforms email into NameID. Changing the NameID format to "urn:oasis:names:tc:SAML:2.0:nameid-format:transient" would all be done in the Rely Party Trust modal. This is the claim rule (a non-default setting) as it would appear in ADFS.

I am looking for information to fill out my Azure AD partner application form. Where can I find that?

Below you will find answers to the Azure AD partner application forms (include spreadsheet below).

Partner (Application) Information
Application Descriptions	Purpose: The application provides for intra-company communication and insight. Name: 15Five https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.15five
Multifactor Authentication	Does the application Support Multifactor Authentication? Yes Will the application require Authentication? Yes. When? Authentication is required immediately.
Sign on URL	https:// subdomain>.15five.com
Identifier	https:// subdomain>.15five.com/saml2/metadata
Reply URL	https:// subdomain>.15five.com/saml2/acs
User Identifier	NameID or email
Relay State	https:// subdomain>.15five.com/
Secure Hash Algorithm	SHA256
Access Rules	Members with access to the application in the Azure Marketplace will have access to the 15Five app.

---

Common Error Messages

---