Search

Setting Up Custom Single Sign-On (SSO)

Integrating your authentication system with Propeller is the best way to ensure secure, streamlined access for your team. With SAML or OpenID Connect (OIDC), users can access Propeller through your company’s existing identity provider (IdP). This means fewer passwords to manage and enhanced security through automatic user deactivation.

image (1).png
ℹ️ Note: Custom SSO is a Paid-premium feature of the Scale Platform Plan. If you want access to this feature, please contact your Customer Success Engineer.

How our Custom SSO works

Custom Single Sign-On (SSO) enables customers to integrate their existing authentication systems seamlessly with Propeller.

When a Propeller user tries to log in to Propeller using SSO, Propeller sends an authentication request to the identity provider (IdP).

The identity provider validates the user's credentials and sends a response back to Propeller to confirm the user's identity.

Propeller acknowledges the response and grants access, allowing users to log into their Propeller account. This will only happen if they are already a Propeller user.

How to set up SSO

Please contact your account manager when you're ready to proceed with the SSO integration.

Since there can be a bit of back and forth when setting up SSO, please ensure you have the correct technical contact inside your organization with the access and know-how to set up the integration. Please pass on these details to your account manager and they will work with you to configure the connection.

Connection methods

We support two primary methods for connecting your Identity Provider to Propeller:

Option 1: OpenID Connect (OIDC) - recommended

OpenID Connect (OIDC) offers a streamlined setup process and is our recommended approach, especially for organizations using Microsoft Entra ID (formerly Azure AD).

Benefits:

  • Simpler configuration process
  • Users won't need to verify their email address again with Propeller, if you are using Microsoft Entra ID
  • More modern authentication standard

What we'll need from your IT team:

For Microsoft Entra ID:

  • A new app registration set up in Entra
  • The Application (client) ID from this app registration
  • The Client Secret generated for this app registration (please ensure this secret has a long validity period to avoid frequent updates, and let us know its expiration date)
  • Your Microsoft Entra ID (Azure AD) Domain (found in your Azure portal)
  • Your organization's email domain(s) that will be used to login to Propeller

For other identity providers:

  • A new application/client created in your IdP
  • The Client ID
  • The Client Secret (please ensure this secret has a long validity period and let us know its expiration date)
  • The OpenID Discovery URL (such as, https://yourdomain.com/.well-known/openid-configuration)
  • Your organization's email domain(s)

Your IT team will need to configure the following as a Redirect URI:

https://login.propelleraero.com/login/callback

Option 2: SAML

SAML (Security Assertion Markup Language) is a widely-used protocol for single sign-on.

Configuration details

Before your IT team begins setup, please contact your account manager. We will provide you with the following information needed to configure the SAML connection, including an individual connection-name:

  • Identifier (Entity ID): In the format urn:auth0:propelleraero:<connection-name>
  • Reply URL (Assertion Consumer Service URL):

https://{yourDomain}/login/callback?connection={connection-name}

  • Logout URL (optional): https://login.propelleraero.com/logout

For Microsoft Entra ID:

Your IT team should create a new Enterprise Application in Entra ID. They can either:

  • Browse the Microsoft Entra Gallery and choose "Microsoft Entra SAML Toolkit", OR
  • Select "Create your own application" and then "Integrate any other application you don't find in the gallery (Non-gallery)"
💡 Tip: During testing, we found creating a "Non-gallery" application to be more straightforward.

Once the Enterprise Application is created, navigate to the "Single sign-on" tab and select to configure Single Sign-On with SAML. Use the Identifier (Entity ID) and Reply URL provided by Propeller.

After setup, your IT team will need to send us:

  • The SAML public key (in PEM or CER format), exportable from "SAML Certificates" under "Certificate (Base64)"
  • The Federation Metadata XML, also exportable from "SAML Certificates"
  • Your organization's email domain(s) that will be used to login to Propeller

For other identity providers:

Your IT team will need to:

  1. Create a new SAML application in your IdP
  2. Configure it with the Identifier (Entity ID) and Reply URL provided by Propeller
  3. Send us:
  • The SAML public key (in PEM or CER format)
  • The Federation Metadata XML file
  • Your organization's email domain(s)

IdP-initiated login (not supported)

Please note that we do not support IdP-initiated login flows (where users start the login process directly from your Identity Provider). This is due to inherent security risks, specifically vulnerability to Login CSRF attacks.

All users must initiate login through:

  • https://app.prpellr.com
  • Your organization's URL (e.g., yourcompany.prpellr.com)
  • The Propeller mobile app

If your organization previously used IdP-initiated login flows with Propeller, please let us know so we can discuss the migration.

Testing the connection

After we've configured the connection, we'll contact you to test the SSO connection. We'll provide test URLs for your team to verify everything works correctly:

Test 1: Organization login page

  1. Navigate to: https://your-organization.prpellr.com
  2. Click the "Continue with [Your Company]" button
  3. Complete the login through your IdP

Test 2: Email-based login

  1. Navigate to: https://app.prpellr.com
  2. Enter your company email address
  3. You should be automatically redirected to your IdP login page

We recommend having 2-3 users from your team test both login methods.

What happens after enabling SSO?

A new sign-in button is added to your organization’s login page so users can sign in with their existing company login credentials.

This is a win for your company and the end user. As the user doesn't have to create a new password to login, and should they leave your company they will also lose access to Propeller since their company login credentials will have been disabled.

If you have multiple organizations within Propeller, this will only work on the organization enabled with Custom SSO, which may not be all of them.

I still can't do it!

We wrote these articles to equip you with everything you need to get the job done on your own, but we understand that sometimes this isn't sufficient.

If you're stuck, you can connect with our support team by clicking the question mark button at the top right corner of your user portal.

Related to

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request