Reach 360: How to Enable Single Sign-On (SSO)

Article Last Updated

This article applies to:

Single Sign-on (SSO) allows you to authenticate your users with your own systems without making them enter additional Reach 360 login credentials. So if a user is already authenticated by your identity provider (IDP), they're authenticated in Reach 360 as well.

Only Reach 360 account owners can enable or disable SSO from the in-app interface.

  1. Get IDP Information 
  2. Enable SSO in Reach 360
  3. Add Reach 360 Information to Your IDP
  4. Add Required Attributes for Users
  5. Disable SSO

Step 1: Get IDP Information

We need to know about your IDP and they need to know about us. To enable SSO, you'll need to enter information about your provider in Reach 360 and, in turn, we'll give you what you need to enter into your IDP account.

You'll need three things:

  2. IDP issuer URI
  3. IDP signature certificate  

These should all be available/configurable in your IDP account.

Step 2: Enable SSO in Reach 360

The option to configure SSO is available to owners only. If you aren't sure what you need to enter for any given step, click Learn more for additional details.  

  1. In Reach 360, select the manage tab and click Settings.
  2. Select the Developer Settings tab.
  3. Under Single Sign-On (SSO) Authentication click Configure SSO
  4. On the Configure Single Sign-On (SSO) Authentication page, in the IDP SSO URL field, enter the IDP SSO URL you obtained in step 1. This is the address where your users log in.
  5. Enter the IDP entity ID for your SSO in the IDP Issuer URI field. 
  6. Open the IDP signature certificate you downloaded in step 1. Copy and paste the entire X.509 certificate in the space provided. 
  7. Select how the SAML response from your IDP is signed. You must choose either Response or Assertion.
  8. Select whether you'd like to sign SAML Authentication requests and if you’ll be using SCIM to automatically provision users and groups.
  9. Once you've double-checked your entries, click Save & Continue

Step 3: Add Reach 360 Information to Your IDP

Once you enter the information in the previous step, we'll have everything we need to generate the certificates and tokens for your IDP account. 

After clicking Save & Continue, you'll notice that the SSO page is slightly different. These items are what you need to connect your SSO solution to Reach 360: 

  • Assertion Consumer Service (ACS) URL
  • Audience URL
  • Signing Certificate

If you selected the option to use SCIM in Step 2, you’ll also receive:

  • SCIM Auth Token

Add these values to the appropriate place on your IDP's configuration page. Once you're finished with this information, click Done

Once configured, you can view your SSO settings at any time by clicking Configure SSO from the Developer Settings tab. If you have SCIM enabled, you can generate a new SCIM token by clicking the button in the SCIM URL section. This invalidates your current token and issues a new one that you'll need to add to your IDP configuration page.

Note: If you have issues adding this information to your IDP account, please contact their support team. 

Step 4: Add Required Attributes for Users

For a user to be created in Reach 360, their record in your IDP must contain the following attributes:

  • firstName = first name
  • lastName = last name
  • email = email address
  • subjectNameId or Unique User Identifier = any unique ID from your IdP

You can also send these optional attributes:

  • avatar = replaces user-defined profile photo (must be passed as a URL)
  • groups = a list of groups the user is assigned to in the IdP that you'd like synced over to Reach 360.


If using SCIM, you'll also need to configure your IDP with these required attributes:

  • name.givenName = first name
  • name.familyName = last name
  • userName = email address

You can also use these optional SCIM attributes:

  • avatar = replaces user-defined profile photo (must be passed as a URL and is to be sent as an attribute that is part of the urn:scim:schemas:extension:metadata:2.0:User schema)
  • externalId = any unique ID from your IdP

The Reach 360 user guide has additional information on managing users and groups when SSO is enabled. Contact if you run into issues or need assistance.

Step 5: Disable SSO 

Turning off SSO is quick and easy. Just keep in mind that, when you do disable SSO, you'll need to repeat the entire process outlined in steps 1-3 if you want to turn it back on. 

  1. On the manage tab, click Settings.
  2. Click the Developer Settings tab.
  3. In the SAML Configuration Settings section, click Disable SSO.
  4. Click Turn Off to confirm you want to disable SSO.

An email is sent to your SSO-linked team members, letting them know SSO has been disabled. To re-enable their login, they must click the Set Password button in that email.