Configuration

Set up Single Sign-On (SSO)

View as Markdown

Set up Single Sign-On (SSO) to sign in to Fern using your existing identity provider.

SSO setup requires working with Fern to exchange configuration values (like callback URLs and entity IDs). To get started, select your identity provider below (Okta, Google Workspace, or Microsoft Entra), then choose SAML or OIDC.

Using another provider?

If you use another IdP, Fern will help you configure it. Reach out via Slack or support@buildwithfern.com to get started.

1

Receive configuration values from Fern

Fern will send you the SSO URL and Audience URI through a secure channel (not Slack/email).

2

Create and configure application in Okta

In Applications, create a new app integration using SAML 2.0. Configure with these values:

FieldValue
Single sign-on URL[value from Fern]
Audience URI[value from Fern]
Name ID formatEmailAddress

Then, add attribute statements:

NameValue
nameuser.firstName + " " + user.lastName
emailuser.email
3

Send Fern your IdP metadata

From the Sign-On tab, copy the Metadata URL and X.509 certificate. Send them back to Fern. Fern will enable the connection and run a test login with you.

4

Disable IdP-initiated login

In the General tab under App visibility, enable Do not display application icon to users. This prevents IdP-initiated login flows, which carry security risks.

5

Assign users

Assign the people who should access Fern.

1

Receive configuration values from Fern

Fern will send you the ACS URL and Entity ID through a secure channel (not Slack/email).

2

Create and configure application in Google

In Web and mobile apps, choose Add app → Add custom SAML app. On Service provider details, enter these values:

FieldValue
ACS URL[value from Fern]
Entity ID[value from Fern]
Name ID formatEMAIL
Name IDPrimary email

Then, add attribute statements:

Google Directory AttributeApp Attribute
First namefirstName
Last namelastName
3

Send Fern your IdP metadata

Copy the SSO URL, Entity ID, and X.509 certificate from Google. Send them to Fern. Fern will enable the connection and run a test login with you.

4

Assign users

Assign the people who should access Fern.

1

Create an application

Under Enterprise applications, select New application → Create your own application → Non-gallery.

2

Receive configuration values from Fern

Fern will send you the Identifier (Entity ID) and Reply URL (ACS) through a secure channel.

3

Configure SAML

In Single Sign-On, choose SAML and enter these values:

FieldValue
Identifier (Entity ID)[value from Fern]
Reply URL (ACS)[value from Fern]
Name IDuser.primaryauthoritativeemail (email)

Then, add attribute statements:

NameValue
firstNameuser.givenname
lastNameuser.surname
4

Send Fern your IdP metadata

From SAML Certificates, copy the App Federation Metadata URL. Send it to Fern. Fern will enable the connection and run a test login with you.

5

Disable IdP-initiated login

To prevent IdP-initiated login flows (which carry security risks), do not distribute the User access URL.

Optionally, create a Conditional Access policy to block sign-ins that don’t originate from your service provider.

6

Assign users

In Users and groups, add the people who should access Fern.