Skip to content
Fyxer Help Center home
Fyxer Help Center home

Setting up single sign-on (SSO) for your organization

A guide for admins and IT teams setting up single sign-on (SSO) with Fyxer. If your IT team is handling this, feel free to forward them this article.

Fyxer supports single sign-on so your team can log in with your company's identity provider — no separate Fyxer passwords to manage. This article explains how setup works, the details Fyxer gives you, and the details we need back from you.

SSO is available on the Enterprise plan and is set up with help from the Fyxer team. To get started, talk to your account manager.

How SSO works with Fyxer

In SSO terms, Fyxer is the Service Provider (SP) and your company provides the Identity Provider (IdP) — the tool that manages your users and authenticates them (for example Okta, Microsoft Entra ID / Azure AD, Google Workspace, OneLogin, or Ping).

Fyxer supports two protocols:

  • SAML 2.0

  • OIDC (OpenID Connect)

You only need to choose one. If you're not sure which your IdP supports best, your IT team will know - both work equally well with Fyxer.

What Fyxer gives you (Service Provider details)

Use these values when you create the Fyxer application in your identity provider. They're the same regardless of which protocol you choose.

Field

Value

Entity ID (Audience / Identifier)

https://fyxer.ai/saml/metadata

Callback URL (also called Redirect URL or ACS URL)

https://app.fyxer.com/__/auth/handler

The Entity ID is an identifier, not a link to open — even though it looks like a web address.

The Callback URL spelling (fxyer-ai) is correct, even though it looks like a typo. You can tell your team: "This is the address Fyxer uses to receive the sign-in response after a user authenticates."

What Fyxer needs from you

Once you've created the Fyxer app in your IdP, send us the details below for your chosen protocol, plus your email domain(s).

If you're using SAML

  • IdP Entity ID — your provider's identifier. If it ends in .xml, remove that part. It usually looks like https://your-provider.com/your-entity-id.

  • SSO URL — the login / sign-in URL, not a metadata URL. You can check it by opening it in a browser: it should take you to a login page.

  • X.509 signing certificate — in PEM format, including the header and footer lines:

-----BEGIN CERTIFICATE-----
MIIC… (base64 certificate) …
-----END CERTIFICATE-----

Make sure the certificate is currently valid (not expired or future-dated) and includes the BEGIN and END lines. Fyxer will reject certificates that are expired, not yet valid, or malformed.

If you're using OIDC

  • Client ID

  • Client Secret

  • Issuer URL — your provider's OIDC issuer (e.g. from Okta or Entra ID)

Your email domain(s)

Tell us which email domain(s) your users sign in with — for example yourcompany.com. You can include more than one (see Enforcing SSO and managing sign-in for your domain).

In a hurry? Use our short, forwardable SSO setup checklist to collect everything in one pass.

Setup steps

  1. Choose your protocol — SAML or OIDC.

  2. Create the Fyxer app in your IdP using the Service Provider details above (Entity ID + Callback URL).

  3. Send us your details for your chosen protocol, plus your email domain(s), via your account manager.

  4. Fyxer configures SSO for your organization.

  5. Test the login — we'll confirm with you that a test user can sign in via SSO before it's rolled out widely.

  6. Roll out / enforce — once testing is confirmed, your domain is routed through SSO. See Enforcing SSO and managing sign-in for your domain.

Always confirm a successful test sign-in before enforcing SSO across your whole domain, to avoid locking users out.

Powered by Plain