Skip Navigation

SSO & provisioning

Last updated on 26 Jan 2024
2 min read

The benefits of SSO

Single Sign-On (SSO) is an authentication process that lets users access their Sketch Account through an identity provider (IdP) — like Google, OneLogin, Okta, Azure and others — instead of setting up separate sign-in details.

There are two key benefits to SSO. First, it’s a very secure authentication method that gives you full control over who can access your company’s Sketch Account — your Head of Security will love it! Second, it makes signing into Sketch faster and easier for your team, because they won’t need to create (and remember) new sign-in credentials.

From a technical perspective, our current SSO implementation is compliant with SAML 2.0, including JIT provisioning. It’s also compatible with almost every identity provider that uses the SAML 2.0 basis.

Note: Security Assertion Markup Language (SAML) is an XML-based protocol that uses security tokens to pass information between a SAML authority (i.e., an Identity Provider or IdP) and a SAML consumer (i.e., a Service Provider — in this case, us) about a principal (usually an end user).

Provisioning

When someone signs in for the first time using your preferred IdP, we’ll create a new, free Viewer Seat in your Workspace. Your Workspace Admin can upgrade it to an Editor Seat at any point. If you have a long list of users, don’t worry — contact us and we can help speed up the process.

Keep in mind that only users that your security team has given access to through your IdP will be able to sign in to Sketch.

Once SSO is enabled, all users in the Workspace will have to sign in via SSO. However, Workspace Admin(s) in the Workspace will still be able to use their sign-in credentials to access Sketch to troubleshoot configuration.

Note: Just-in-time provisioning of accounts (JIT) avoids the need for SSO users to create a Sketch account before signing in with SSO. The first successful sign in with an IdP will automatically create an account with an identity and membership for the Workspace where that IdP belongs.

Other

  • IdP initiated SSO: For security reasons, we don’t allow IdP-initiated SSO. Users will need to begin the sign-in process from Sketch.
  • Changing your name/email address in your SSO Workspace: If a user wants to change their name or email address, you’ll need to do so via your IdP.
  • Inviting other people to the SSO Workspace: You can’t invite other users to an SSO Workspace. To access the Workspace, they’ll need to know the Workspace’s shortname and use it to sign in. If they don’t have an account in the organization’s IdP, they’ll need to speak to their IT department.
  • Technical requirements: You’ll need MacOS 10.15 or later and Sketch 70.2 or later.