Skip to main content

How do I set up Single Sign-On (SSO) for my agency?

Step-by-step guide for agency admins to activate, configure, and enforce SSO across your team.

Single Sign-On (SSO) lets your agency team sign in to Monoline using your organization's identity provider. Monoline also supports SCIM provisioning, which automatically creates and disables Monoline accounts when you add or remove people in your identity provider.

This guide walks an agency admin through the full setup, from initial request to go-live.

Before you start

You will need:

  • Admin access to your agency's Monoline account.

  • Admin access to your identity provider.

  • A test window with one other team member.

Step 1: Activate SSO in Monoline

  1. Sign in to app.monoline.com as an Admin.

  2. Click your name in the top right corner and select Integrations.

  3. Find the SSO Configuration card and click Activate.

  4. On the next screen, click Activate SSO to confirm.

You will land on the SSO Configuration page, which contains the admin portal where you will set up your SSO connection and SCIM provisioning.

Step 2: Connect your identity provider

On the SSO Configuration page, make sure the SSO tab is selected. Add a new SAML or OIDC connection (recommended: SAML).

The exact values you need to enter (entity IDs, ACS URLs, attribute mappings) depend on your identity provider. We maintain a detailed walkthrough for each supported provider here:

SSO & SCIM Configuration Guide

Follow the section that matches your identity provider, then come back to this article when the connection shows as Default.

Step 3: Enable SCIM provisioning (recommended)

SCIM automatically creates Monoline accounts for new members added to your identity provider, and disables accounts when members are removed — so you don't have to manage your team list in two places.

  1. On the SSO Configuration page, click the SCIM tab.

  2. Follow the on-screen prompts to generate a SCIM bearer token and endpoint URL.

  3. In your identity provider, paste those values into the SCIM integration for Monoline. See the SSO & SCIM Configuration Guide for provider-specific steps and required attribute mappings.

  4. Assign the users or groups in your identity provider that should have access to Monoline.

Note: Once SSO is activated, the manual Invite button on the Members page is hidden — your identity provider owns the team list. With SCIM, members are created and disabled automatically as you add or remove them in your identity provider. Without SCIM, a new member's account is created the first time they sign in via SSO, but disabling members must be done in your identity provider (and reflected on the Monoline side through the cleanup flow described below).

Step 4: Test the connection

Before requiring everyone to sign in via SSO, verify the connection works end-to-end:

  1. Open a new private or incognito browser window.

  2. Sign in to your identity provider and open its applications dashboard (the page that lists the apps assigned to you).

  3. Click the Monoline tile.

  4. Confirm you land in your agency's Monoline dashboard.

  5. Ask one other team member to do the same.

Launching from the identity provider tests the full end-to-end configuration, including the app tile and the redirect back to Monoline. If sign-in fails, double-check the connection on the SSO tab and re-confirm your attribute mappings against the configuration guide.

Step 5: Enforce SSO (optional)

Once SSO is tested and working, you can require all members to sign in through your identity provider. When Force SSO is on, password and email-based logins are disabled for everyone in your agency.

  1. On the SSO Configuration page, toggle Force SSO to on.

  2. Confirm that members can still sign in.

Emergency access: Agency admins keep emergency password access in case your identity provider becomes unavailable, so you won't be locked out of Monoline. Non-admin members must use SSO.

You can turn Force SSO back off from the same page at any time.

Managing your team after go-live

Adding members: With SCIM, assign the user to Monoline in your identity provider and the account is created automatically. Without SCIM, invite members from the Members page.​

Removing members: Remove or unassign the user in your identity provider. SCIM will disable their Monoline account.

Reassigning their work: When a member is disabled, any open quotes or active policies they owned appear in the Accounts Needing Cleanup section at the top of the Members page. From there you can reassign that work to other team members in a single step.

Troubleshooting

A team member can't sign in. Confirm they are assigned to the Monoline app in your identity provider, and that the email address in your identity provider matches their Monoline email exactly. Re-check the connection on the SSO tab.

You need to turn SSO off. From the SSO Configuration page, click Disable Integration in the top right. This stops requiring SSO and re-enables password sign-in for all members. You can re-activate at any time.

Still stuck? Email [email protected] with your agency name and a description of the issue.

Related articles

Did this answer your question?