Setting Up SAML Single Sign-On (SSO) for Your PropFuel Organization

SAML SSO allows your organization to use your existing identity provider (such as Google Workspace or Microsoft EntraID) to authenticate users into PropFuel, streamlining the login process and centralizing user management.

If you’re interested in the SAML SSO for your organization, please reach out to your CSM for more information. 

Once your CSM has added this sign-on option for your organization, you’ll need to configure SAML authentication through your settings in the PropFuel admin:

1. Navigate to Settings > Advanced in PropFuel

2. Locate the SAML Authentication Settings section

3. Enable SAML authentication by toggling the setting on

Important: Keep this setting enabled until you've fully tested your SAML configuration to avoid getting locked out of your account. 

When enabled, users with existing PropFuel passwords can still log in using their PropFuel credentials

• When disabled: All users will be required to authenticate through your identity provider, even if they were previously logged in with PropFuel passwords

This setting controls how new users are handled. 

When enabled (recommended for most setups), any user who successfully authenticates through your SAML connection will automatically have a PropFuel account created for them. 

To limit PropFuel access to invite only, disable this setting.

Note: You can control access at the identity provider level regardless of this setting. Choose "disabled" only if you need to manage access exclusively from the PropFuel side.

Set up a custom login URL to allow your employees to bypass the standard Propfuel login flow. Users won't need to go through the PropFuel landing page and enter their email, but rather can bookmark this direct link.

Once you enter the URL slug with your company name, the Login URL field will automatically create the URL that can be shared with your users.

PropFuel creates the following URLs and identifiers needed to configure your identity provider. Copy each of these values into your identity provider's service provider configuration.

• Assertion Consumer Service (ACS) URL

• Entity ID

• Metadata URL (if required by your identity provider)

After configuring the service provider information in your identity provider, you'll need to enter their configuration into PropFuel with the fields below. 

You can do so by manually entering in the information into the provided fields, or you can import the metadata via XML metadata file upload or metadata URL and PropFuel will automatically configure the necessary settings.

Note: This setup should work for any SAML-compatible identity provider, but the specific setup steps may vary by identity provider.

Provider Name is a friendly name to add to easily identify your identify provider.

Entity ID identifies your identity provider system to PropFuel.

Single Sign-On URL is the login page URL where users will be sent for authentication.

Single Logout (SLO) URL is used for logout functionality. This may not be required depending on your identity provider.

X.509 Certificate is needed to decrypt user information from your identity provider. A backup certificate can be added in the field below to support certificate rotation policies. Both certificates will be accepted during the transition period. 

By default, PropFuel will attempt to determine user information from the SAML payload using standard provider defaults.

If you need explicit control or are experiencing issues with automatic mapping, you can manually specify how the attributes should be mapped. 

Testing Your Configuration

1. Save all your SAML settings

2. Log out of PropFuel

3. Log back in using your custom login URL or through the standard SSO flow

4. Verify that you're redirected to your identity provider and can successfully authenticate

• Locked out: If you disabled PropFuel password login too early, contact support.

• Authentication fails: Double-check that all URLs and certificates are correctly copied between systems

• Users can't access: Verify both PropFuel auto-create settings and identity provider access controls

• Attribute issues: Use manual attribute mapping if automatic detection isn't working properly