Float Professional Plan customers can configure Single Sign-On using SAML to allow users to easily authenticate and access Float.
This feature is available to customers on Float's Professional or Enterprise Plans. View detailed plan information at floatfinancial.com/pricing and contact us via support@floatfinancial.com if you'd like to upgrade!
SAML (Security Assertion Markup Language) is a standard of communication between an Identity Provider (IdP) managed by your business and a Service Provider (SP) - in this case, Float.
To prevent double-authentication, enabling SAML will deactivate Float's Multi-Factor Authentication for all users in your business. Users will authenticate through your IdP instead.
If your business's IdP is Okta, Google or Microsoft Azure, please refer to the relevant guide:
Using Okta as an Identity Provider for SAML SSO to Float
Using Google as an Identity Provider for SAML SSO to Float
Setting up SAML-SSO with Microsoft Azure
If you are connected to multiple entities within Float, please reference the following:
Important Notes for SSO Configuration in Multi-Entity Businesses
This setup involves systems outside of Float. If you're not familiar with SAML configuration, we recommend involving a member of your business's IT team.
Enabling SAML-SSO
1. Log-in to app.floatfinancial.com as an Administrator and navigate to Settings > Security > SAML
2. Click "+ Add Domain"
- Add the domains that your business owns and are components of the email addresses your users use to log in to Float, i.e., yourcompany.biz.
- Click "OK" to save each Associated Domain
3. Click "Verify" to view the steps to verify ownership of each domain.
- Log in to your domain host
- Choose the domain name you want to add the TXT record to
- Add a TXT record containing the Float verification code provided
- Save your changes and wait until they take effect. The changes generally occur within a few hours but can take up to 72 hours depending on your domain host.
- Check the box "I have added TXT record to my domain"
- Click "Verify Domain"
4. Copy the Service Provider Configuration Info and enter it into your IdP when configuring the Float application.
- Assertion Consumer Service (ACS) URL
- Entity ID:
5. Under "Custom Attributes", select your IdP to view guidance on creating the custom Float attributes you must configure in your IdP in order for your SAML integration to Float to function.
6. Once the configuration in your IdP is finished, complete the Identity Provider Configuration Info using one of the following:
- URL: Set up your SAML SSO provider using a URL to your IdP metadata
- XML file: Set up your SAML SSO provider using the IdP metadata XML file supplied by your IDP
- Manual Input: Directly input your Sign in URL and X.509 Certificate
- Click "Save Configuration"
7. Test your SAML SSO configuration using the "Test SAML Sign In" button
- Please ensure that the email you use to log in to Float is identical to your email address in your SAML IdP
8. Toggle "Enable SAML SSO for entire organization" to allow all employees under the configured domains to access Float via SAML SSO.
Going forward, when new users are created in your IdP and they use that system to access Float, they'll be created as a Float user with the "Spender" role automatically (an Administrator can change their role after they're created). Users can also be created directly in Float before granting access in your IdP, as long as their email addresses match.
Important Notes for SSO Configuration in Multi-Entity Businesses:
If your organization uses multiple entities in Float and all users share the same email domain, there are a few important requirements when configuring SAML/SSO.
Why users must exist in the main SSO entity
When SAML is configured in Float, your email domain is linked to a single SSO configuration. During login:
Float checks the domain of the email address entered
That domain automatically redirects the user to your Identity Provider (IdP) (e.g., Okta, Azure AD)
After authentication, the IdP sends the user back to the Float entity where SSO is configured
Because of this domain-based routing, only one Float entity can be associated with a SAML configuration for a given domain.
If a user exists only in a secondary entity, Float cannot log them in because authentication returns to the primary SSO entity, where their user profile does not exist.
To prevent login errors, users must therefore exist in the main SSO entity first, even if they primarily work in another entity.
Required setup for multi-entity SSO
If your entities share the same email domain:
Configure SAML/SSO in your primary Float entity
Provision users in your Identity Provider (IdP) so they can authenticate via SSO
Ensure each user exists in the primary SSO entity
Add the user to any additional entities they need to access
This allows users to authenticate successfully through SSO and access the entities they work in.
Please note: Just-in-Time (JIT) provisioning will automatically create users only in the primary entity where SAML is configured.
Setting a default entity after login
Once users have access to multiple entities, they can set their preferred one as their default.
Sign in to Float using SSO
Click the business name in the top-left corner
Select the entity you want to use
Click the ⋮ (three dots) beside the entity
Select Set as default business
If you have any questions or require assistance, contact us via support@floatfinancial.com
"Does the user that I've created in the SAML-configured entity need to stay active in order for the secondary user to work under the other entity, or can they be deleted after?"
The user under the SAML-configured entity must remain active. If the user in the SAML-configured entity is deleted or deactivated, it may break the authentication chain, as the login session/token originates from the SAML entity.