Set up single sign-on (SSO)

With single sign-on (SSO), users can access their company and other business applications through a single login.

Centralized login and authentication have several key advantages, including security benefits. Single sign-on (SSO) lets users access all their apps with one password, so it's faster and safer. No more forgetting passwords or risking them getting stolen.

About SSO

Single sign-on (SSO) is the ability for a user to use the same ID and password to log in to multiple applications within an organization. SSO solutions use an identity provider to manage the login for individual users. Your identity provider is responsible for providing centralized authentication to applications and users throughout your organization.

After setup is complete, SSO-enabled users can initiate login from the login page. Alternatively, you can log in from your identity provider.

You can set up both SSO and 2-step verification for your company for extra security. If your company is already enabled for SSO, users who access Intacct via their SSO identity provider will bypass 2-step verification. However, if a user is not configured for SSO and is logging in directly to Intacct, they will be forced to use 2-step verification.

Enabling both features gives you an extra layer of protection for your account. For example, if your SSO system was temporarily unavailable, your Intacct admin might need to log in to Intacct, and to prove their identity, would go through 2-step verification.

How does it work?

Intacct uses a single login page to support both Intacct login and single sign-on login. To use SSO logins, users select the Use single sign-on option on the login page. Selecting this option removes the Password field and then your selected identity provider authenticates the user.

The Remember me checkbox stores and will remember the single sign-on preferences set by your users.

Users that you set up for SSO can no longer use the basic login page to log in to Sage Intacct. Instead, they choose the option for single sign-on login.

Any users that you do not set up for SSO must still log in to Sage Intacct using the basic login page. In addition, users with full administrator privileges always have the option to log in to Intacct using their Intacct password.

Type of user How logging in works

SSO user

Users who are enabled for SSO must log in to Intacct using the single sign-on.

The login page for single sign-on requests only the company name and username, and does not provide an option for entering a password. Your SSO identity provider authenticates the user, and manages their passwords.

Non-SSO users

Users who are not enabled for SSO must log in to Intacct using the basic login page and enter their Intacct password.

Administrator users

Users with full administrator privileges always have the option to log in to Intacct using their Intacct password. This ensures that they always have a way to log in to Intacct.

Administrator users can also use SSO for logging in to Intacct.

Before you set up SSO

Before you enable SSO for your company, you need to set up SSO with an identity provider. Setup will vary by identity provider. Use the following information as a reference.

Supported identity providers

The following identity providers are verified to work with Sage Intacct:

  • Assure Bridge
  • OneLogin
  • Centrify
  • Active Directory Federated Services (AD FS)

You can set up SSO using your existing SSO identity provider if they support the SAML 2.0 protocol for authenticating and authorizing users.

Identity provider connection requirements

The following table describes the configuration options that you might need to set up a connection with your identity provider.

Configuration option Requirement or value

Authentication protocol

SAML 2.0

SAML binding type

POST binding

Security certificate type

X.509 generated with an SHA-256 signature hash in PEM format

Relying Party identifier for Intacct

https://saml.intacct.com

ACS/Consumer URL

https://www.intacct.com/ia/acct/sso_response.phtml

The following three custom attributes are required when the identity provider initiates sign-on:

Attribute Value

emailAddress

User's Federated Id

Company Name

Company Id

name

User Id

Set up SSO

Setting up an SSO is a two-step process:

  1. Enable SSO for your company
  2. Set up individual users

Enable SSO for your company

Intacct uses these settings to establish a connection between your company and your SSO identity provider. Users will continue to log in using the basic login page until you explicitly set them up for SSO (see step 2).

To enable SSO for your company:

  1. Go to Company > Setup > Configuration and select Company.
  2. In the Company information page, select Edit.
  3. Select the Security tab.
  4. In the Single sign-on (SSO) section, select the Enable single sign-on checkbox.
  5. Do one of the following for the Identity provider type,
    • If you are not using AD FS, choose SAML 2.0 .
    • If you're using AD FS, choose SAML 2.0 with ADFS .
  6. Complete the remaining information using information provided by your SSO identity provider.
    Identity provider type option descriptions
    OptionDescription

    Issuer URL

    The issuer URL is provided to you by your identity provider and is the URL that your company will invoke to attempt authentication. Copy and paste the URL into this field as-is.

    Login URL

    This is the link to your SSO login page, as provided by your identity provider. Copy and paste the URL into this field as-is.

    Certificate

    This is the x.509 certificate issued by your identity provider for your application. It is used to authenticate that the submitter is both who they say they are and that the data has not been altered after being submitted. Copy and paste the certificate into this field as-is.

  7. Save your changes.

Set up individual users

With SSO, your company can switch to a system where everyone logs in with single sign-on. This means users will not need separate passwords for your company login anymore. A secure SSO provider will verify them instead. You can choose which users switch to SSO and which users can keep using passwords for now.

To use SSO, users must log in from a computer that has access to your SSO system. In addition, we currently do not support SSO login from mobile devices.

To enable SSO for a user:

  1. Go to Company > Admin > Users.

    The Users list appears.

  2. Find the desired user and select Edit next to their name.
  3. Select the Single sign-on tab.
    This tab appears only if you've already enabled SSO for your company (see step 1).
  4. Select the option to Enable single sign-on.
  5. In the Federated SSO user id field, enter the ID that your SSO identity provider uses to identify this particular user.

Disable SSO

You can turn off SSO for your company by deselecting the Enable single sign-on checkbox on the Company information page. After you select Save on this page, a pop-up window appears to reset all non-administrator single sign-on users' passwords. You'll be asked if you want to reset users' passwords for them, or let users reset their passwords on their own.

  • If you answer "Yes" to resetting user passwords: All non-administrator users will receive an email from Intacct asking them to reset their passwords. After they've created a new password, users can log in using the basic login page.
  • If you answer "No" to resetting user passwords: Users will not receive an automated email prompting them to reset their password. Users can, however, reset their own passwords at log in time by selecting the Forgot your password? link on the basic login page.

If you turn off SSO, users who try to log in with the SSO method will get an error. This is because SSO is off and they need their regular passwords now.

Users with full administrator privileges are not required to reset their password. Administrators can always log in directly using their Intacct password regardless of whether they are set up for SSO.

Field descriptions

SSO field descriptions
Field Description

Enable single sign-on

Enable SSO for your company.

Identity provider type

Choose the type of SSO identity provider that you're using. If you're using Active Directory Federated Services (ADFS), choose SAML 2.0 with ADFS. Otherwise, choose SAML 2.0.

Issuer URL

The issuer URL is provided to you by your identity provider and is the URL that Intacct will invoke to attempt authentication. Copy and paste the URL into this field as-is.

Login URL

The link to your SSO login page, as provided by your identity provider. Copy and paste the URL into this field as-is.

Certificate

The x.509 certificate issued by your identity provider for your application. It is used to authenticate that the submitter is who they say they are and that the data has not been altered after being submitted. Copy and paste the certificate into this field as-is.

Requested authentication content type

Select what level of authentication is required for a login attempt.

  • Exact: The login must use one of the listed exact authentication methods (for example, password only).

  • Minimum: The login method must be at least as strong as one of the listed methods (for example, password with multi-factor authentication is stronger than just a password).

  • Maximum: The login method must be the strongest possible option available (not commonly used).

  • Better: The login method must be stronger than any of the listed methods (useful when additional security is needed).

Enable alternative login methods (Microsoft Azure AD only)

This option enables passwordless authentication methods for signing into Sage Intacct via Microsoft Entra.

By selecting this, users can log in using alternative, secure methods such as Windows Hello, the Microsoft Authenticator app, SMS, or email codes, enhancing security and convenience.

For more details on how these authentication methods work, visit Microsoft's documentation on passwordless authentication.