Skip to main content
Flashduty supports Single Sign-On (SSO) via SAML2.0, OIDC, CAS, and LDAP (private deployment only) protocols, helping you easily integrate with various applications and platforms. Users only need to sign in once to access multiple connected applications and services without repeated authentication.

Configuring SAML Protocol

Configuration path: Platform Management → Single Sign-On → Enable → Settings → Select SAML2.0 protocol type
FieldDescription
Protocol TypeSelect SAML2.0
Metadata DocumentXML document obtained from the identity provider
Field MappingFlashduty extracts user email, username, and phone information from the identity provider through mapped fields
Create Account on Sign InEnabled by default; when disabled, members must be invited before they can sign in
Flashduty Service Provider InfoService Provider Metadata and Assertion Consumer Service URL (assertion address for identity provider to call for single sign-on)

Configuring OIDC Protocol

Configuration path: Platform Management → Single Sign-On → Enable → Settings → Select OIDC protocol type
FieldDescription
Protocol TypeSelect OIDC protocol
IssuerObtained from identity provider, case-sensitive URL that cannot contain query parameters
Client IDClient ID, obtained from identity provider
Client SecretClient secret, obtained from identity provider
Field MappingFlashduty extracts user email, username, and phone information from the identity provider through mapped fields
Create Account on Sign InEnabled by default; when disabled, members must be invited before they can sign in
ScopesSpecifies the information and functionality permissions the request can access, with support for customization. Defaults to openid, profile, email, phone; you can add custom scopes as tags
Flashduty Service Provider InfoRedirect URL: Identity provider callback address
Supported Signing Algorithms: RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512 (HS256 not supported)
Scopes is a required field. The default values openid, profile, email, phone are the base permissions needed for OIDC to function properly. Removing these defaults may cause single sign-on to fail or prevent correct retrieval of user information. If you need to add custom scopes, add them while keeping the defaults intact.

Configuring CAS Protocol

Configuration path: Platform Management → Single Sign-On → Enable → Settings → Select CAS protocol type
FieldDescription
Protocol TypeSelect CAS protocol
CAS AddressCAS service address obtained from identity provider, e.g., https://xqlsd3irx2gm-demo.authing.cn/cas-idp/669e050856d5b07b4399b242
CAS Login PathCAS login path, e.g., /login
Skip TLS CheckOptional; when enabled, skips TLS certificate verification, suitable for CAS services using self-signed certificates
Field MappingFlashduty extracts user email, username, and phone information from the identity provider through mapped fields
Create Account on Sign InEnabled by default; when disabled, members must be invited before they can sign in
Flashduty Service Provider InfoRedirect URL: Identity provider callback address

Configuring LDAP Protocol

LDAP single sign-on is only supported in the private deployment version.
Configuration path: Platform Management → Single Sign-On → Enable → Settings → Select LDAP protocol type
FieldDescription
Protocol TypeSelect LDAP protocol
LDAP URLLDAP service address, e.g., ldap://10.10.10.10:389
BIND DNUsername for connecting to LDAP, e.g., cn=admin,dc=flashduty,dc=com
BIND DN PasswordPassword for connecting to LDAP, stored encrypted in the database
EncryptionSupports TLS and StartTLS encryption methods (mutually exclusive, only one can be enabled). After enabling either method, you can optionally skip SSL/TLS certificate verification; if not skipped, you can optionally provide the SSL/TLS certificate path
User DNDefines where to start searching for users, e.g., ou=people,dc=flashduty,dc=com
Auth FilterCustom filter expression for retrieving user DN information, basic form: (&(mail=%s)). Note: Opening and closing parentheses are required
Field MappingFlashduty extracts user email, username, phone, and Group information from the identity provider through mapped fields. Email is a required mapping field. The Group field defaults to memberOf and is used for role and team synchronization
Create Account on Sign InEnabled by default; when disabled, members must be invited before they can sign in
Field mapping must be consistent with the identity provider configuration, otherwise it will cause errors. For specific configuration, refer to OpenLDAP Integration Guide.

LDAP Connection Test

After configuring the LDAP connection information, you can click the Connection Test button at the bottom of the settings drawer to verify that Flashduty can successfully connect to your LDAP server. The system will attempt to establish a connection using the currently entered LDAP URL, BIND DN, and password, and return a success or failure result.
We recommend running the connection test before saving the configuration to ensure connection parameters are correct, avoiding login failures due to misconfiguration.

LDAP Role and Team Synchronization

When using the LDAP protocol, you can automatically synchronize Flashduty roles and teams based on the user’s LDAP Group membership. Configuration path: LDAP Settings page → Sync Configuration
1

Enable Synchronization

In the sync configuration area, enable the Sync Roles and/or Sync Teams toggles.
2

Add Mapping Rules

Click Add Mapping Rule and configure the following for each rule:
FieldDescription
Group DNThe full Distinguished Name of the Group in LDAP, e.g., cn=devops,ou=groups,dc=example,dc=com
Mapped RolesAvailable when Sync Roles is enabled; select the Flashduty roles this Group maps to
Mapped TeamsAvailable when Sync Teams is enabled; select the Flashduty teams this Group maps to
3

Configure Default Roles

When Sync Roles is enabled, you can configure Default Roles. When a user’s LDAP Groups do not match any mapping rule, the system will assign these default roles.
  • You can add multiple mapping rules, each corresponding to one LDAP Group
  • When a user signs in, the system automatically matches and synchronizes the corresponding roles and teams based on their LDAP Group membership
  • The Group DN in mapping rules must be the full path of the Group in LDAP

External member management

When you enable single sign-on, members automatically created through their first SSO login are marked as external members. You can enable the Prevent editing external members option in SSO settings (disabled by default). When enabled, these external members become read-only in Flashduty — you cannot modify their roles or delete them in Flashduty. All member management must be done through the identity provider. This feature is ideal for organizations that need to centrally manage user permissions in the identity provider, ensuring member information in Flashduty always stays in sync.
  • This option only affects external members created via SSO; manually invited members are not affected
  • If the SSO configuration is deleted, existing external members remain read-only by default

Login Domain Management

The login domain is an important identifier for your account, used to locate the correct SSO configuration during single sign-on. Each account’s login domain is globally unique. After configuring the login domain, members can initiate single sign-on directly through the {domain}.sso.flashcat.cloud address without manually selecting an identity provider. You can modify the account domain on the Platform Management → Basic Information page. The domain must be 5–40 characters long and can only contain letters, numbers, or -, and cannot start or end with -.
After changing the domain, it will apply to the following scenarios:
  • SSO single sign-on configuration: All configured SSO login domains will change accordingly. Members will need to use the new domain to initiate single sign-on
  • Email integration push addresses: The email integration receiving address format is prefix@{domain}.{email-suffix}. The address changes when the domain changes, so update related configurations promptly
Before modifying, ensure you have checked your email integration configuration and notified your organization. The modification may require multi-factor authentication (MFA) verification. If you encounter any issues, contact technical support promptly.
  • It is recommended to use your company’s English name as the login domain for easy memorization
  • Once set, changing the login domain will immediately invalidate the old domain; members using the old domain will need to update their login address

Best Practices

Authing Integration

Configure Flashduty SSO single sign-on through Authing

Keycloak Integration

Configure Flashduty SSO single sign-on through Keycloak

OpenLDAP Integration

Configure Flashduty SSO single sign-on through OpenLDAP