How SSO works
When SSO is configured for your account:- You enter your work email on the Forerunner sign-in page
- Forerunner recognizes your email domain and redirects you to your organization’s identity provider
- You authenticate with your organization credentials
- Your identity provider confirms your identity to Forerunner
- You’re automatically signed in to Forerunner
SSO must be configured by your Customer Success Manager. If you expect SSO but don’t see the option, contact your CSM to verify configuration.
Benefits of SSO
| Benefit | Description |
|---|---|
| Simplified access | Use your existing organization credentials |
| Centralized management | IT manages access through your identity provider |
| Enhanced security | Leverage your organization’s authentication policies |
| Reduced passwords | No separate Forerunner password to remember |
| Automatic provisioning | Users may be created automatically when they first sign in |
Signing in with SSO
Go to Forerunner
Navigate to app.withforerunner.com.
Select SSO option
If SSO is configured for your email domain, you’ll see an option to continue with SSO. Select it.
Authenticate
You’re redirected to your organization’s sign-in page. Enter your organization username and password.
Complete additional verification
If your organization requires MFA or additional verification, complete those steps.
SSO and MFA
When using SSO, multi-factor authentication is typically managed by your organization’s identity provider rather than Forerunner:- Your organization’s MFA policies apply during SSO sign-in
- You may be prompted for verification codes, authenticator apps, or security keys
- Forerunner’s SMS-based MFA is separate from organization MFA
Email domain configuration
SSO is configured based on email domains:- Your CSM configures which email domains use SSO
- All users with matching email domains are directed to SSO
- Multiple domains can be configured for the same SSO provider
- Some organizations allow both SSO and password authentication
First-time SSO sign-in
When you first sign in via SSO:- Account exists - If you already have a Forerunner account, you’re signed in directly
- New user - Depending on configuration, a new account may be created automatically or you may need an invitation first
Automatic account creation (provisioning) depends on your organization’s SSO configuration. Contact your CSM if you’re unable to sign in after authenticating with your organization.
Session behavior with SSO
Signing out
When you sign out of Forerunner:- Your Forerunner session ends
- You may remain signed in to your organization’s identity provider
- Signing back in may be faster since you’re still authenticated with your organization
Session timeout
- Forerunner sessions may timeout based on account settings
- Your organization’s identity provider may have separate timeout policies
- You may need to re-authenticate with both systems depending on timing
Supported identity providers
Forerunner supports SAML-based SSO with common identity providers including:- Microsoft Azure Active Directory (Azure AD)
- Okta
- Google Workspace
- OneLogin
- Other SAML 2.0 compliant providers
SSO configuration requires coordination between your organization’s IT team and Forerunner. Contact your CSM to discuss setting up SSO for your account.
Setting up SSO
SSO setup requires your Customer Success Manager:Information needed
Your CSM will need:- Identity provider type (Azure AD, Okta, etc.)
- Email domains to enable for SSO
- Technical contact in your IT department
- SAML metadata or configuration details
Setup process
- Contact your CSM to initiate SSO setup
- Your CSM coordinates with your IT department
- Configuration is tested with a pilot group
- SSO is enabled for all users on the configured domains
Troubleshooting
SSO option not appearing
SSO option not appearing
Possible causes:
- SSO not configured for your email domain
- Typo in your email address
- SSO temporarily disabled
Redirected but sign-in fails
Redirected but sign-in fails
Possible causes:
- Organization credentials incorrect
- Account not provisioned in identity provider
- SSO configuration issue
Successfully authenticated but can't access Forerunner
Successfully authenticated but can't access Forerunner
Possible causes:
- Forerunner account doesn’t exist
- Account not linked to SSO
- Provisioning not enabled
Asked for Forerunner password after SSO
Asked for Forerunner password after SSO
Possible causes:
- SSO not fully configured
- Email domain mismatch
- Fallback to password authentication
SSO works but MFA prompts are confusing
SSO works but MFA prompts are confusing
Explanation:
You may see MFA prompts from:
- Your organization’s identity provider (during SSO)
- Forerunner (if separately enabled)
SSO vs. password authentication
| Aspect | SSO | Password |
|---|---|---|
| Password management | Managed by your organization | Managed in Forerunner |
| MFA | Typically organization-managed | Forerunner SMS verification |
| Access control | Can be tied to organization groups | Managed in Forerunner |
| Password reset | Through your organization | Through Forerunner |
| Setup | Requires CSM and IT coordination | Self-service with invitation |
Related topics
- Signing in - General sign-in process
- Multi-factor authentication - Forerunner MFA settings
- Password management - For non-SSO accounts