Overview
Single sign-on (SSO) lets your team sign in to FOG using your existing identity provider (for example, Okta, Azure AD, Google Workspace) instead of a separate SwiftComply password. FOG supports SAML 2.0.
This article walks through enabling SSO for your FOG program and configuring the SAML connection.
Before you start
Contact SwiftComply support to turn on SSO for your FOG program. Admins cannot enable the underlying feature themselves -- SwiftComply has to flip a switch first. Once they do, the Single Sign On tab becomes available under Settings β Team.
Have your identity provider's SAML details ready: the IDP SSO target URL and certificate fingerprint.
You need an admin user in FOG. Only admins can access SSO settings.
Configuring SSO in FOG
Click the Settings gear icon in the top-right corner of the page.
Click Team in the settings sidebar.
Click the Single Sign On tab at the top of the Team page.
Toggle Enabled on.
Fill in the SSO fields:
IDP SSO Target URL -- the SAML SSO URL from your identity provider.
IDP Cert Fingerprint -- the SHA fingerprint of your IDP's signing certificate.
IDP Cert Fingerprint Algorithm -- defaults to SHA256. Change only if your IDP uses a different algorithm.
Click Save.
What to give your identity provider
Your IDP needs SwiftComply's SAML details to complete the connection. Use these values (replace your-subdomain with the subdomain you use to log in to FOG, for example greenville.swiftcomply.com):
Protocol: SAML 2.0
Single Sign On URL:
https://your-subdomain.swiftcomply.com/city_users/saml/authAudience URI (metadata URL):
https://your-subdomain.swiftcomply.com/city_users/saml/metadataDefault RelayState:
https://your-subdomain.swiftcomply.com/Application username: Email
Logging in with SSO
Once SSO is saved and enabled, your team can log in through your identity provider. The exact experience depends on your IDP (for example, clicking a FOG tile in Okta or navigating to a company portal), but it always ends at your FOG program's URL.
Password-based login stays available alongside SSO by default. If you want to enforce SSO-only login for your FOG program, contact SwiftComply support.
Troubleshooting
SSO settings tab is missing -- SwiftComply hasn't enabled SSO for your FOG program yet. Contact support.
User can't log in after SSO is configured -- confirm the user's email in your IDP matches their FOG user email exactly. FOG matches users by email.
IDP certificate fingerprint mismatch -- paste the fingerprint without colons or spaces. Some IDPs display it in different formats.
FAQ
Q: Can I enable SSO myself?
A: You configure the SAML connection yourself, but the underlying feature has to be turned on by SwiftComply first. Contact support to enable it.
Q: What identity providers are supported?
A: Any IDP that speaks SAML 2.0 works, including Okta, Azure AD, Google Workspace, OneLogin, and Duo SSO.
Q: Does enabling SSO remove password login?
A: No. Password login remains available by default. Contact SwiftComply if you want to disable it for your FOG program.
Q: What SHA algorithm should I use for the certificate fingerprint?
A: SHA256 is the default and works for most modern IDPs. Only change it if your IDP specifically requires a different algorithm.