This document explains what Portal Single Sign-On (SSO) is, how to configure it, and what to expect from related settings and system behavior.

SSO in the End User Portal facilitates:

• Seamless invoice payment: An office manager can click an invoice link and land in the portal, already authenticated via their Microsoft 365 session. No password prompt, no MFA step. Faster payment, less friction.
• Frictionless new hire onboarding: A new employee can receive a portal invite and get in using their company credentials on day one. No "set a new password" step, no separate MFA enrollment.
• Secure remote access: A remote worker can access their office PC through the portal. Their company's IdP verifies their identity, satisfying security requirements without any extra Syncro-specific steps.

Portal SSO for the End User Portal

Single Sign-On (SSO) connects an Organization's OIDC-compliant identity provider (IdP) such as Microsoft Entra ID or Google to the Syncro End User Portal.. End Users log in with their existing work credentials. No separate Syncro password is required. Portal SSO is available on all Syncro subscription tiers.

When SSO is enabled, both SSO and standard email/password login appear on the portal login page simultaneously. Some users in an Organization can authenticate via SSO while others use a password, which is useful for Organizations that work with outside contractors who aren't in the primary company directory.

If SSO is disabled after being active, the portal falls back to standard email/password login. Users who have never set a Syncro password can use the “Forgot Password” flow to create one.

For step-by-step instructions, see Configure the End User Portal for SSO.

About the End User Portal Section

The End User Portal section on the Organization Details Page contains three toggles and a “Configure SSO” link. All three toggles apply changes immediately when clicked, with no additional save step. This is different from the Identity Provider Configuration pop-up window, which only applies changes when the form is explicitly saved.

The "Enable SSO" Toggle

The "Enable SSO" toggle turns portal SSO on or off. Its behavior depends on the state of the Organization.

• If the New End User Portal is not enabled for the Organization, clicking the toggle opens an Enable New End User Portal window from which you can Enable, Learn More, or Cancel. The Enable button is hidden if you do not have permission to enable the New Portal. 
• If the New End User Portal is enabled but no complete SSO configuration has been saved, clicking the toggle opens the Identity Provider Configuration pop-up window.
• If the New End User Portal is enabled and a complete SSO configuration has been saved, clicking the toggle turns SSO on or off immediately.

The "Let SSO Logins Bypass MFA" Toggle

The "Let SSO logins bypass MFA" toggle controls whether SSO-authenticated users are prompted for MFA. When enabled, an SSO login counts as a multi-factor authentication event. This means users can also launch Remote Access (Splashtop) sessions without an additional MFA prompt.

The "Enable Auto Provisioning" Toggle

The "Enable Auto Provisioning" toggle controls whether new Portal Users are automatically provisioned on their first SSO login.

How "Enable SSO" Affects Related Settings

When "Enable SSO" is turned on, whether via the checkbox in the Identity Provider Configuration pop-up window or the toggle on the Organization Details page, the "Let SSO logins bypass MFA" and "Enable Auto Provisioning" toggles become enabled and are set to on. You can then adjust them independently to suit the needs of the Organization.

When "Enable SSO" is turned off, both toggles become disabled and cannot be changed independently until SSO is re-enabled.

About the “Enable SSO” checkbox in the Identity Provider Configuration Pop-Up Window

The Identity Provider Configuration pop-up window contains an “Enable SSO” checkbox. This checkbox controls the same setting as the “Enable SSO” toggle on the Organization Details page. It reflects whether SSO is currently active. 

While any required field is empty, the checkbox is disabled and unchecked, even if SSO was previously enabled. Once all required fields are populated, the checkbox becomes available.

Configure the End User Portal for SSO

Use this procedure to set up SSO for an Organization's End User Portal by entering IdP credentials and registering Syncro's URLs in your identity provider.

Prerequisites

The New End User Portal must be enabled for the Organization before you can configure SSO. If it isn't enabled, attempting to interact with the SSO controls will show an Enable New End User Portal window. Contact your administrator if the Enable button is not visible, as this means you do not have appropriate permissions. See Set Up Your Syncro Account for more information.

Steps

1. In Syncro, navigate to Organizations > [Organization Name] > Organization Details and scroll to the End User Portal section:
   
2. Click “Configure SSO” to open the Identity Provider Configuration pop-up window. If no complete configuration has been saved, you can also click the "Enable SSO" toggle to open the pop-up window.
3. Copy the Redirect URL and the Logout URL.(The Redirect URL may be called a Callback URL in IdP documentation.)
4. In your IdP, register the Redirect URL and Logout URL. 
5. Retrieve your Client ID, Client Secret, and Discovery URL. 
6. In Syncro, enter the Client ID, Client Secret, and Discovery URL in the pop-up window:
   
   Note: Required fields must have values to enable SSO and to make the Save and Test button available.
7. (Optional) Check "Enable SSO" to activate SSO immediately. If you want to save your credentials without activating SSO yet, leave it unchecked. See About the “Enable SSO” checkbox in the Identity Provider Configuration Pop-Up Window.
8. Click Save Changes. To save and immediately run a validation test, click Save and Test instead. 

Result

Values in the pop-up window are only sent to the backend when the form is saved. The “Enable SSO” toggle on the Organization Details Page will update to match the state of the checkbox (on or off). Closing the pop-up window without saving discards all changes. If SSO is enabled during the save, the "Let SSO logins bypass MFA" and "Enable Auto Provisioning" toggles become enabled and are set to on. 

To verify your configuration is working, see Test Your SSO Configuration. 

Test Your SSO Configuration

Save and Test saves your configuration and immediately runs a validation flow against your IdP. You do not need to check "Enable SSO" to run a test, which means you can verify your credentials are correct before activating SSO for end users.

Prerequisites

All required fields (Client ID, Client Secret, and Discovery URL) in the Identity Provider Configuration pop-up window must be populated. Secret Expiry is not required. "Enable SSO" does not need to be checked.

Steps

1. Navigate to Organizations > [Organization Name] > Organization Details, and scroll to the End User Portal section:
   
2. Complete or verify the credential fields in the Identity Provider Configuration pop-up window. 
3. Click Save and Test.

Result

• If validation is successful, the pop-up window closes and you are returned to the Organization Details page with a success alert.
• If validation fails, you are stopped inside the SSO flow and will need to correct your configuration before proceeding.

In some cases testing may not be feasible. If you don't have access to a user account already configured in the IdP with valid credentials, you can save and enable SSO, then verify by logging in as an end user.

System Messages for the Identity Provider Configuration Pop-Up Window

Here are the messages you may see after saving or closing the Identity Provider Configuration pop-up window:

• "IDP configuration saved." The configuration saved successfully.
• "IDP configuration saved with invalid Discovery URL." The configuration saved but the Discovery URL could not be validated. SSO may not function correctly until the Discovery URL is corrected. Verify the URL in your IdP before enabling SSO. 
• "IDP configuration could not be saved." The save failed. No changes were applied. Check your connection and try again.
• "IDP configuration changes discarded." You closed the pop-up window without saving by clicking Cancel, pressing Esc, or clicking outside the pop-up window. No changes were applied. Reopening the pop-up window will show the last saved configuration.

MFA Label Changes When SSO Bypass Is Enabled

When "Let SSO logins bypass MFA" is enabled at the Organization level, the MFA label updates in two places.

• On the Organization Details page in the Portal Users section, the label reads "Require MFA for this User (except in SSO)."
• On the End User Details page in the End User Portal section, the label reads "Require MFA (except in SSO)."

When "Let SSO logins bypass MFA" is disabled, both labels revert to their standard wording. Even if MFA is required for a given user, that requirement does not apply when the user authenticates via SSO.