Fabriq supports SAML 2.0 Single Sign-On (SSO), allowing your organization to authenticate users through your corporate Identity Provider (IdP).
The Self-serve SSO Wizard enables IT and Security teams to configure, validate, and deploy SSO without support intervention, offering full autonomy and a guided, reliable setup experience.
ℹ️ SSO is available for:
- Enterprise plan customers
- Advanced and Standard plans (as add-on)
❗️ Requires a SAML 2.0 identity provider (Microsoft Entra ID, Google Workspace, Okta, OneLogin, or similar).
1. Benefits of SSO in Fabriq
🔒 Strong Security & Governance
Authentication and MFA fully controlled by your IdP
Consistent application of Conditional Access, device trust, and risk policies
Ensures nominative identity for audit, traceability, and compliance
⚙ Operational Efficiency
Users sign in using existing corporate credentials
No password resets or local account maintenance
Faster login across multi-shift, multi-device environments
Simplifies onboarding during site expansions or workforce turnover
👥 JIT Provisioning = User Autonomy
Fabriq uses Just-In-Time (JIT) provisioning.
This enables:
Automatic account creation on first SSO login
No invitation required
Users can immediately request access to teams
Fabriq admins approve access in one click
Smooth onboarding when scaling operations or rotating staff
This is particularly valuable for distributed frontline teams.
2. Account Types & SSO Implications
Fabriq supports multiple identity types to accommodate both corporate users and operational environments.
Account Type | Example | Purpose | Authentication |
Corporate Nominative | Standard Fabriq user (team lead, manager, OpEx, etc.) | SSO via IdP (MFA at IdP). Full personal traceability. | |
Generic Nominative (Fabriq Identity) | Operators without corporate emails | Not shared. Password auth + Fabriq IP filtering. Can route notifications to a supervisor’s email if needed. | |
Service / Display Accounts | TVs/large screens for dashboards | SSO or password + Fabriq IP filtering. Auditor (read-only) only. Never for data entry. |
Domain Strategy Guidance
Only corporate email domains should be added to SSO.
.fabriq.tech domains should remain outside SSO, as these accounts rely on Fabriq-managed authentication rather than your Identity Provider.
This prevents operator and service accounts from being unintentionally blocked.
3. Prerequisites
Before starting, ensure you have:
Organization Admin access in Fabriq
Admin access in your Identity Provider
Your corporate email domain(s)
IdP Metadata URL (recommended) or XML
A test user in your IdP
4. Overview of the Self-serve SSO Wizard
To begin configuring SSO:
1. Log into Fabriq
2. Navigate to Organization → Security
3. Locate the Single Sign-On (SSO) section
4. Click Set up SSO to launch the Self-serve SSO Wizard
The wizard contains four steps:
Configure Provider
Map Claims
Verify Connectivity
Save & Rollout
Step 1: Configure Provider
a) Select your Identity Provider
Pick the IdP your organization uses.
Provider-specific setup guides are linked here for convenience:
b) Copy Fabriq’s SP values into your IdP
Fabriq provides:
Entity ID
ACS URL
These must be added to your IdP’s SAML app to establish trust.
c) Upload IdP Metadata
You can provide:
Metadata URL (preferred, auto-refreshes certificates)
Metadata XML (manual updates)
d) Add SSO Domains
Add the corporate domains whose users should authenticate through SSO.
Do not add .fabriq.tech domains.
Step 2: Map Claims
Configure how Fabriq receives user attributes from your IdP.
Required attributes:
Authentication email address
Communication email address
First name
Last name
NameID Requirements
Fabriq strongly recommends using a stable, immutable identifier as the NameID, not an email address. This ensures that if a user’s email changes, they do not lose access, your user mapping remains intact, and the updated email is automatically reflected in Fabriq.”
Valid options include:
Azure AD Object ID
Okta UUID
OneLogin Unique ID
Employee/HR ID
If an unstable value is detected (e.g., email), the wizard will flag a warning.
Step 3: Verify Connectivity
Click Test Connection to validate your configuration.
Fabriq verifies:
Metadata access & signature
Correct ACS & Entity ID pairing
Attribute presence
NameID format
SAML assertion structure
Possible Results
🟢 Success
Your configuration is complete and valid.
🟡 Warnings
Common cases:
Missing email attributes
NameID using email instead of a stable ID
Unexpected or unmapped attributes
🔍 SAML Assertion Preview
The wizard displays the actual assertion being sent by your IdP, including:
NameID
Email attributes
First & last name
Attribute sources
Use this preview to ensure correctness before rollout.
Step 4: Save & Rollout
Once validated, decide which users will authenticate with SSO.
User Activation Tools
Search by email
Activate users individually or in bulk
Select All / Clear / Invert selection
Export your user list as CSV
Email Notifications
Fabriq automatically notifies users when:
SSO is activated for their account
SSO is deactivated, prompting them to set a password
This ensures transparency and reduces confusion during transitions.
Post-Rollout Behavior
Selected users authenticate via SSO on next login
New users with matching domains automatically use SSO (JIT provisioning)
Users not moved to SSO continue using their existing password login
5. After Setup
The SSO settings page displays:
Configured IdP
Active domains
User coverage (with/without SSO)
You can edit your configuration at any time.
Disabling SSO transitions users back to password-based login (with automatic email notifications).
6. Recommended Rollout Strategy
Phase 1: Admin Pilot
Enable SSO for 2–3 admins to validate login paths (office, VPN, mobile).
Phase 2: Controlled Rollout
Deploy to a specific team, plant, or function.
Phase 3: Full Rollout
Enable SSO for all corporate nominative users.
Phase 4: Ongoing Governance
Remove unused accounts
Maintain clean domain lists
Review user coverage regularly
If your organization operates with non-standard identity models, Fabriq Support can help validate your configuration.