After SSO is configured, you manage employee access primarily through your Identity Provider (IdP). Some actions also require steps inside 15Five.
Before You Begin
- SSO must already be configured in 15Five. See Set up SAML Single Sign-On (SSO) in 15Five.
- Confirm whether Allow Password Sign In is enabled — this affects deactivation behavior.
Grant or Remove IdP Access
- Open your IdP's provisioning or assignment screen.
- Assign the 15Five app to the employee to grant access.
- Remove the 15Five app assignment from the employee to revoke access.
Employees without an IdP assignment see a 403 or 400 error when attempting to log in.
Create Employee Accounts
SSO does not create 15Five accounts automatically unless JIT provisioning is enabled during setup.
To create accounts without JIT:
- Navigate to Company Settings in 15Five.
- Choose one of the following methods:
- Select Invite to manually invite an individual employee. - Select Bulk Import to upload a CSV file for multiple employees.
Alternatively, use a SCIM or HRIS integration to auto-create accounts.
Update Employee Email Addresses
The correct steps depend on how your Name ID attribute is configured.
If Name ID is set to User ID or Not Used:
- Update the email address in your IdP.
- The change syncs to 15Five the next time the employee logs in.
If Name ID is set to Email:
- Update the email in 15Five first.
- Then update the email in your IdP.
- Confirm both addresses match before the employee logs in with the new address.
For large-scale changes such as a company domain migration, use Bulk Import to update multiple email addresses at once.
Deactivate or Remove an Employee
- Remove the 15Five app from the employee's permissions in your IdP.
- In 15Five, deactivate the employee's account using one of these methods:
- Manually via People Settings - Via Bulk Import - Automatically via SCIM or HRIS integration, if enabled
If Something Goes Wrong
| Issue | Check | Fix |
|---|---|---|
| Removed employee can still log in | Allow Password Sign In is enabled | Deactivate the account in 15Five immediately; removing IdP access alone does not block password-based login |
| Employee sees 403/400 error after being granted access | Employee's IdP assignment is incomplete | Confirm the 15Five app is assigned to the correct user or group in your IdP |
| Email update breaks login | Name ID is set to Email and IdP was updated before 15Five | Update the email in 15Five to match the IdP, then have the employee attempt login again |
| Bulk import email update fails | CSV contains mismatched or duplicate entries | Validate the CSV against current 15Five records before re-uploading |
Not Covered Here
This article does not cover initial SSO setup, JIT provisioning configuration, or SCIM integration — see the related articles below.