> ## Documentation Index
> Fetch the complete documentation index at: https://withforerunner.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Single sign-on

> Sign in to Forerunner through your organization's identity provider

Single sign-on (SSO) allows you to access Forerunner using your organization's existing credentials. Instead of maintaining a separate Forerunner password, you authenticate through your organization's identity provider (like Azure AD, Okta, or Google Workspace).

## How SSO works

When SSO is configured for your account:

1. You enter your work email on the Forerunner sign-in page
2. Forerunner recognizes your email domain and redirects you to your organization's identity provider
3. You authenticate with your organization credentials
4. Your identity provider confirms your identity to Forerunner
5. You're automatically signed in to Forerunner

<Note>
  SSO must be configured by your Customer Success Manager. If you expect SSO but don't see the option, contact your CSM to verify configuration.
</Note>

## Benefits of SSO

| Benefit                    | Description                                                |
| -------------------------- | ---------------------------------------------------------- |
| **Simplified access**      | Use your existing organization credentials                 |
| **Centralized management** | IT manages access through your identity provider           |
| **Enhanced security**      | Leverage your organization's authentication policies       |
| **Reduced passwords**      | No separate Forerunner password to remember                |
| **Automatic provisioning** | Users may be created automatically when they first sign in |

## Signing in with SSO

<Steps>
  <Step title="Go to Forerunner">
    Navigate to [app.withforerunner.com](https://app.withforerunner.com).
  </Step>

  <Step title="Enter your email">
    Type your work email address associated with your organization.
  </Step>

  <Step title="Select SSO option">
    If SSO is configured for your email domain, you'll see an option to continue with SSO. Select it.
  </Step>

  <Step title="Authenticate">
    You're redirected to your organization's sign-in page. Enter your organization username and password.
  </Step>

  <Step title="Complete additional verification">
    If your organization requires MFA or additional verification, complete those steps.
  </Step>

  <Step title="Access Forerunner">
    After successful authentication, you're returned to Forerunner and signed in.
  </Step>
</Steps>

## SSO and MFA

When using SSO, multi-factor authentication is typically managed by your organization's identity provider rather than Forerunner:

* Your organization's MFA policies apply during SSO sign-in
* You may be prompted for verification codes, authenticator apps, or security keys
* Forerunner's SMS-based MFA is separate from organization MFA

<Tip>
  If you're having trouble with MFA during SSO sign-in, contact your IT department since they manage your organization's authentication policies.
</Tip>

## Email domain configuration

SSO is configured based on email domains:

* Your CSM configures which email domains use SSO
* All users with matching email domains are directed to SSO
* Multiple domains can be configured for the same SSO provider
* Some organizations allow both SSO and password authentication

## First-time SSO sign-in

When you first sign in via SSO:

1. **Account exists** - If you already have a Forerunner account, you're signed in directly
2. **New user** - Depending on configuration, a new account may be created automatically or you may need an invitation first

<Note>
  Automatic account creation (provisioning) depends on your organization's SSO configuration. Contact your CSM if you're unable to sign in after authenticating with your organization.
</Note>

## Session behavior with SSO

### Signing out

When you sign out of Forerunner:

* Your Forerunner session ends
* You may remain signed in to your organization's identity provider
* Signing back in may be faster since you're still authenticated with your organization

### Session timeout

* Forerunner sessions may timeout based on account settings
* Your organization's identity provider may have separate timeout policies
* You may need to re-authenticate with both systems depending on timing

## Supported identity providers

Forerunner supports SAML-based SSO with common identity providers including:

* Microsoft Azure Active Directory (Azure AD)
* Okta
* Google Workspace
* OneLogin
* Other SAML 2.0 compliant providers

<Note>
  SSO configuration requires coordination between your organization's IT team and Forerunner. Contact your CSM to discuss setting up SSO for your account.
</Note>

## Setting up SSO

SSO setup requires your Customer Success Manager:

### Information needed

Your CSM will need:

* Identity provider type (Azure AD, Okta, etc.)
* Email domains to enable for SSO
* Technical contact in your IT department
* SAML metadata or configuration details

### Setup process

1. Contact your CSM to initiate SSO setup
2. Your CSM coordinates with your IT department
3. Configuration is tested with a pilot group
4. SSO is enabled for all users on the configured domains

## Troubleshooting

<AccordionGroup>
  <Accordion title="SSO option not appearing">
    **Possible causes:**

    * SSO not configured for your email domain
    * Typo in your email address
    * SSO temporarily disabled

    **Solution:**
    Verify your email address is correct. Contact your CSM to confirm SSO is configured for your domain.
  </Accordion>

  <Accordion title="Redirected but sign-in fails">
    **Possible causes:**

    * Organization credentials incorrect
    * Account not provisioned in identity provider
    * SSO configuration issue

    **Solution:**
    Try signing in to other SSO-enabled applications. Contact your IT department if you can't authenticate with your organization.
  </Accordion>

  <Accordion title="Successfully authenticated but can't access Forerunner">
    **Possible causes:**

    * Forerunner account doesn't exist
    * Account not linked to SSO
    * Provisioning not enabled

    **Solution:**
    Contact your Manager to verify you have a Forerunner account, or your CSM to check SSO configuration.
  </Accordion>

  <Accordion title="Asked for Forerunner password after SSO">
    **Possible causes:**

    * SSO not fully configured
    * Email domain mismatch
    * Fallback to password authentication

    **Solution:**
    Contact your CSM to verify SSO is properly configured for your email domain.
  </Accordion>

  <Accordion title="SSO works but MFA prompts are confusing">
    **Explanation:**
    You may see MFA prompts from:

    * Your organization's identity provider (during SSO)
    * Forerunner (if separately enabled)

    These are different systems. Organization MFA is managed by your IT department.
  </Accordion>
</AccordionGroup>

## SSO vs. password authentication

| Aspect                  | SSO                                | Password                     |
| ----------------------- | ---------------------------------- | ---------------------------- |
| **Password management** | Managed by your organization       | Managed in Forerunner        |
| **MFA**                 | Typically organization-managed     | Forerunner SMS verification  |
| **Access control**      | Can be tied to organization groups | Managed in Forerunner        |
| **Password reset**      | Through your organization          | Through Forerunner           |
| **Setup**               | Requires CSM and IT coordination   | Self-service with invitation |

## Related topics

* [Signing in](/administration/authentication/signing-in) - General sign-in process
* [Multi-factor authentication](/administration/authentication/mfa) - Forerunner MFA settings
* [Password management](/administration/authentication/passwords) - For non-SSO accounts
