User authentication settings

This feature is available to organizations on the Enterprise plan.

Organization Owners or Administrators can customize the login authentication settings for all users in their organization.

Authentication settings for all users in an organization.

Require Single Sign-On (SSO)

Quick Tip

Once you require SSO, all organization members must sign up or log in with your selected SSO provider. We recommend checking your Users list to ensure everyone has the right credentials first!

Require all users to join or sign in to your organization with their existing Google, Facebook, or Microsoft account.

To require single sign-on for all user accounts:

  1. Click your organization’s name in the top left corner and select Settings.
  2. Click Authentication in the left-hand navigation or scroll to the Authentication section.
  3. Toggle on Require single sign-on for all users in your organization.
  4. Select an SSO provider (Google, Microsoft, or Facebook). You must be logged in with your selected provider before you can enable SSO.
  5. Select Save. If you want to change your SSO provider, you must turn off Require Single Sign-On and then repeat steps 3 and 4.
    Requiring single sign-on for Facebook

Managing users

Once you restrict users to your selected SSO provider, all organization members must sign up or log in with an email address associated with your provider. If your existing users have the right credentials, this process is seamless and they can continue to log in as usual. However, if any existing users log in with an email that’s not associated with your SSO provider, they must update their email information before you enable SSO.

If you enable SSO and a user does not have the right credentials, you can turn it off and allow them to log in and update their email address. Please note that enabling SSO does not affect user permissions for new or existing users.

Google SSO

Quick Tip

While Google sign-in supports standard Google and Gmail accounts, restricting users to your Google domain requires a Google Workspace account.

Google Workspace logo

Google Workspace includes productivity apps such as Gmail, Drive, Docs, Meet, and many more.

You can control who has access to your Cognito Forms organization based on your Google Workspace domain. Once enabled, your users will be automatically signed in to Cognito Forms with their Google accounts.

To integrate Cognito Forms with your Google Workspace domain:

  1. Click your organization’s name in the top left corner and select Settings.
  2. Click Authentication in the left-hand navigation or scroll to the Authentication section.
  3. Toggle on Require single sign-on for all users in your organization.
  4. Select Google as your SSO provider and then select Restrict users to my Google Workspace domain.
  5. Select Enable. You will be prompted to sign in with your credentials before the settings are enabled.

Microsoft Entra SSO

Microsoft Entra ID.

Microsoft Entra ID (formerly Azure AD) is a cloud-based identity and access management solution. A Microsoft Entra tenant provides identity and access management (IAM) capabilities to applications and resources used by your organization.

You can control who has access to your Cognito Forms organization based on your Microsoft tenant. Once enabled, your users will be automatically signed in to Cognito Forms with their Microsoft Entra accounts.

To integrate Cognito Forms with Microsoft Entra ID:

  1. Click your organization’s name in the top left corner and select Settings.
  2. Click Authentication in the left-hand navigation or scroll to the Authentication section.
  3. Toggle on Require single sign-on for all users in your organization.
  4. Select Microsoft as your SSO provider and then select Restrict users to my Microsoft tenant.
  5. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
    • In the Overview section, select + Add > App registration. Enter a name and choose the account type that applies to your organization.
    • Set the Redirect URI to Web and enter: https://www.cognitoforms.com/svc/auth/oidc
    • Select Register.
    • Go to Certificates & secrets and select + New client secret. Enter a name and a secret expiration period that fits your organization’s security policy.
    • Copy your new client secret value. This value will not be visible again after you leave this page.
    • Go back to the application overview page and copy the Application (client) ID and Directory (tenant) ID.
  6. In Cognito Forms, enter the Tenant ID, Client ID, and Client Secret values.
  7. Select Enable. You will be prompted to sign in with your credentials before the settings are enabled.

Custom SSO

restricting users to your Google domain

Cognito Forms uses OpenID Connect to pair with popular identity providers, including Auth0, Okta, OneLogin, PingIdentity, Salesforce and more.

To integrate Cognito Forms with your SSO provider via OpenID Connect:

  1. Create a new client for Cognito Forms in your SSO provider. Set the Redirect URI to Web and enter: https://www.cognitoforms.com/svc/auth/oidc
  2. In Cognito Forms, click your organization’s name in the top left corner and select Settings.
  3. Click Authentication in the left-hand navigation or scroll to the Authentication section.
  4. Toggle on Require single sign-on for all users in your organization.
  5. Select Custom.
    • Discovery URL: This setting is the discovery URL for your SSO provider. For example, your Okta discovery URL will look something like this: https://yourOktaDomain.oktapreview.com/.well-known/oauth-authorization-server See instructions on finding the discovery URL for your SSO provider:
    • Client ID: This setting is the client ID for the client in your SSO provider.
    • Client Secret: This setting is the client secret value for the client in your SSO provider.
  6. Select Enable. You’ll be prompted to log in with your connected SSO provider.

Require Two-Factor Authentication (2FA)

Quick Tip

Once you require two-factor authentication, all organization members will be prompted to set up 2FA as soon as they log in to your organization. We recommend giving your organization members a heads-up first!

To require two-factor authentication for all user accounts:

  1. Click your organization’s name in the top left and select Settings.
  2. Click Authentication in the left-hand navigation or scroll to the Authentication section.
  3. Toggle on Require two-factor authentication for all users in your organization.

Once enabled, any users who have not already set up 2FA for their account will be prompted to do so the next time they log in to your organization. In the Users section, you can view which users currently have 2FA enabled on their accounts.