Show/Hide Navigation

Articles in this section

How to set up and configure Enterprise SSO in AMS+

This article covers Enterprise Single Sign-On (SSO) in AMS+ for your organization’s users and administrators. Administrators will find setup instructions, enforcement options, and break glass user guidance. Users will find instructions for logging in with SSO and what to expect when SSO is enforced by their organization.

Note: One step in the setup process must be completed by the AgencyBloc Support Team before your administrator can begin configuration. Contact your AgencyBloc CSM to get started.

Requirements

  • Your organization must have a supported identity provider (IdP).
    • Examples:
      • Okta
      • Microsoft Entra (Azure AD)
      • OneLogin
      • Google Workspace
      • Any SAML 2.0 / OIDC-compatible IdP
  • You must have the ability to add a DNS TXT record to your organization's email domain (typically done by your IT team).
  • To set up and manage Enterprise SSO settings for your organization:
    • You must be logged into AMS+ as an Agency User.
    • You must be assigned to a Security Group with the Manage User permission.

In this article

What is Enterprise SSO?

Enterprise SSO (Single Sign-On) lets your organization's users log into AMS+ using your existing corporate identity provider, such as Okta, Microsoft Entra (Azure AD), or OneLogin, instead of a separate AMS+ username and password.

When SSO is configured for your organization, your users log into AMS+ using the Or login using your Company Account (SSO) link on the login page, which is visible to all AMS+ users. Selecting it prompts you to enter your email address, then takes you through your company’s normal sign-in flow.

SSO setup overview (for administrators)

Before setup begins, the AgencyBloc Support Team enables SSO on your account. To do this, they will need the following from you:

  • Your organization's email domain: the part of your work email address after the @ symbol (e.g., agencybloc.com). This cannot be changed once configured.
  • A preferred login name for your organization: a short, unique name that AgencyBloc will use to create a dedicated SSO login link for your team (e.g., agencybloc-benefits).

Once the AgencyBloc Support Team has completed their step, your organization’s administrator completes three steps in My Agency Settings > Enterprise Single Sign On before SSO can be enforced. Once these steps are complete, you can access your organization's dedicated SSO login URL and set your SSO mode.

Screenshot showing Enterprise Single Sign On setting in My Agency Settings

Configure your identity provider
  • Select Configure on the Configure SSO Provider card.
    Screenshot highlighting the Configure button on the Connect SSO Provider card in Enterprise Single Sign On settings
  • This opens the SSO Admin Portal in a new tab, where you'll connect your identity provider (Okta, Microsoft Entra, OneLogin, Google Workspace, etc.) using the setup wizard.
    Screenshot showing the screen where the identity provider is selected
  • The identify provider status on the My Settings > Enterprise Single Sign On page does not update automatically, so you may need to select the Refresh Status button to see if your identify provider setup has completed.
    Screenshot showing the Refresh Status button on the Connect SSO Provider card in Enterprise Single Sign On settings
Verify your domain
  • Select Verify on the Verify Domain card.
    Screenshot highlighting the Verify button on the Verify Domain card in Enterprise Single Sign On settings
  • You'll be directed to add a DNS TXT record to prove ownership of your email domain. DNS propagation can take 24–48 hours.
    Screenshot showing how to verify your organization's domain
  • The domain verification status on the My Settings > Enterprise Single Sign On page does not update automatically, so you may need to select the Refresh Status button to see if your domain verification has completed.
    Screenshot highlighting the Refresh Status button on the Verify Domain card in Enterprise Single Sign On settings
Add break glass users
  • Select Manage on the Break Glass Users card.
    Screenshot highlighting the Manage button on the MAnage Break Glass Users card in Enterprise Single Sign On settings
  • Select 1–5 users who will retain username/password access as a backup. At least one break glass user is required before you can enforce SSO.
    Screenshot showing how to add break glass users
  • You can add or remove break glass users at any time.
  • Learn more about break glass users.

SSO login URL

After all three steps are complete, you will be provided with a dedicated login URL for your organization. Share this link with your team so they can bookmark it and use it to log into AMS+ directly through your organization's SSO login flow.

Screenshot showing the SSO Login URL for Enterprise Single Sign On

SSO mode

Once your SSO setup is complete, you can choose your SSO mode.

Screenshot showing the SSO mode settings for Enterprise Single Sign On

  • Unenforced: Your organization's users can log in via SSO or username and password. Use this to test SSO without affecting user access.
  • Enforced: Your organization's users must log in via SSO. Username and password login is disabled for everyone except break glass users.

Note: Enforced mode is only available after SSO setup is complete.

Break glass users

Break glass users are a small group of designated users (typically administrators) who can log into AMS+ with a username and password even when SSO is enforced. This provides emergency access if there's an issue with your identity provider.

  • Break glass users can still reset their AMS+ password through normal channels.
  • Break glass users can still manage two-factor authentication settings.
  • Your organization can have between 1 and 5 break glass users.
  • At least one break glass user is required before SSO can be set to Enforced.

Note: If you believe you should be a break glass user or need emergency access to your account, contact your organization's AMS+ administrator.

What changes when SSO is enforced

When your organization's administrator sets SSO to Enforced mode, the following changes apply to all users (except break glass users):

Login

You must log in through your company's identity provider. Attempting to log in with a username and password will show a standard login error. Use the Or login using your Company Account (SSO) link instead.

Password reset

Password resets through AMS+ are not available when SSO is enforced. If you select Forgot Password, you'll be redirected to the SSO login flow instead. Manage your credentials through your organization's identity provider.

Password change in My Account

The password change section is hidden in My Account for SSO-enforced users, since AMS+ passwords are not used for authentication.

Two-factor authentication

AMS+ two-factor authentication settings are not available when SSO is enforced. Because authentication goes through your identity provider, AMS+ defers to whatever MFA your organization has configured there. Your IdP's security controls are fully honored in place of AMS+ 2FA.

Welcome email for new users

When a new user is added to an SSO-enforced organization, they receive a modified welcome email with a Log in with SSO button instead of a temporary password. The email explains that your organization uses SSO for secure access and links to AgencyBloc Academy for training resources.

How to log in with SSO

Go to the AMS+ login page.
Select the Or login using your Company Account (SSO) link below the standard login fields.

If your organization has SSO enforced, you will not be able to log in using a username and password directly. See What changes when SSO is enforced above.

Screenshot showing how toi log in using your Company Account (SSO)

Enter your username (typically your work email address).

AMS+ checks whether your organization has SSO configured. If it does, you're redirected to your identity provider automatically.

Screenshot showing how to enter your username during the SSO sign in process when logging into AMS+

Complete sign-in through your company's identity provider.

This may include your usual corporate credentials and any multi-factor authentication your organization requires.

Once authenticated, you're logged into AMS+.

Troubleshooting

SSO login not working

If you're unable to log in and your organization uses SSO, use the Or login using your Company Account (SSO) link on the login page rather than entering your username and password directly. If you continue to have trouble, contact your organization's AMS+ administrator.

Domain verification pending

DNS changes can take 24–48 hours to propagate. Return to My Agency Settings > Enterprise Single-Sign On and select Refresh Status to see if verification has completed.

Enforced mode unavailable

All three setup steps must be complete before Enforced mode is available: identity provider configured, domain verified, and at least one break glass user added.

User unable to log in via SSO

Confirm that the user's email domain matches the verified domain for your organization. If the domains don't match, the user won't be recognized as part of your SSO organization.