This is an article that goes over how Single-Sign-On works within Creative Force.
From the screen login by password form:
Type in your Email and Password then click login.
From the Creative Force Log in screen, choose SSO LOGIN
From the screen input email, type email and next
In most cases, you will be redirected to your IdP login form.
In special cases, you may need to input the studio domain before going to IdP login form.
After logging in from IdP, the user will be redirected to Gamma.
To switch users on the IdP, the current user needs to log out from the IdP.
One user can only have one or both of the following Login modes:
SSO Login: When a user exists on the IdP AND the CF Instance is set up to use SSO
Password Login: When the user is invited via Gamma OR Admin sets the password for a user
Add new user via IdP
Once SSO is set up, all users on IdP (who are assigned to Creative Force) will be able to use login to Creative Force via the IdP
If an admin does not set a password for users in Gamma then users only have SSO login available
If an admin sets passwords for users in Gamma then users will have both login modes available
Notes: If your IDP does not support SCIM (such as ADFS), then you will have to remove users manually using Gamma.
Add new user via Gamma
Admin can still invite users directly from Gamm and they will be able to sign up and set their password.
If the user does not exist in the IdP → The user can only log in via their password
If the user exists in the IdP → The user can log in either via SSO or their password
Removing users via IdP
If a user only has SSO login mode, then you only need to remove the user from IdP:
If you set up SCIM, then the user should be locked immediately from Creative Force automatically
Otherwise, the user can continue working within Creative Force until they log out or an Admin removes the user via Creative Force
If the user has both login modes, then that user can continue working within Creative Force with their password until Admin locks or removes the user account within Creative Force
Remove user via Gamma
If a user has SSO login mode, the admin cannot remove the user via Gamma, because the user can still log in via the IdP. See the Add new user via IdP of this article. The user should be removed via the IdP
If the user only has password login mode, then a Creative Force Admin can remove the user via Gamma
SSO with 2FA and password policy
2FA and password policies aren’t applied for SSO users. These policies belong to the IdP.
In case you need to remove Single Sign-On, please reach out to Customer Support via in-app chat or firstname.lastname@example.org
If you have any issues with SSO, the Creative Force Account Owner can always can log in via their password and update the settings. Alternatively, you can reach out to Customer Support via in-app chat or email@example.com
On SSO Login, if you have an error message of “The provider email does not match”, it seems you are trying to login with an email that is different from the remembered user on your IdP. Solution: You need to log out the remembered user on your IdP, and try again.