Single Sign-On

OpenBoxes Lift includes built-in single sign-on (SSO) powered by Keycloak. Every Lift account benefits from SSO --- you sign in once and get access to both the Lift portal and your OpenBoxes instance without re-entering credentials.

How SSO Works

When you sign in at app.openboxes.cloud, Keycloak (hosted at auth.openboxes.cloud) handles the authentication. Here is the flow:

  1. You enter your email and password on the Lift login page
  2. Keycloak verifies your credentials and creates a session
  3. You are signed into the Lift portal
  4. When you click Launch OpenBoxes, the portal uses your existing session to authenticate you with OpenBoxes automatically
  5. OpenBoxes opens in a new tab --- no second login required

This means your team only needs to remember one set of credentials for everything on the Lift platform.

Session Management

Session Duration

Your SSO session stays active as long as you are using the platform. Sessions expire after a period of inactivity:

Setting Duration
Session timeout (idle) 30 minutes
Session maximum 10 hours
Remember me 30 days (optional)

When your session expires, you are redirected to the login page. Any unsaved work in OpenBoxes is preserved --- you can pick up where you left off after signing back in.

Signing Out

Clicking Sign Out in the portal terminates your SSO session across all Lift services. You will be signed out of both the portal and OpenBoxes simultaneously.

Password Policies

Lift enforces the following password requirements for all accounts:

  • Minimum 8 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • Cannot reuse your last 3 passwords

Admins on [Dedicated] and [Enterprise] tiers can customize these policies from the Settings page.

Password Reset

If you forget your password:

  1. Click Forgot password? on the login page
  2. Enter your email address
  3. Check your inbox for a reset link (valid for 24 hours)
  4. Set a new password that meets the policy requirements

Connecting an External Identity Provider

[Dedicated] [Enterprise]

On Dedicated and Enterprise tiers, you can connect your organization's existing identity provider so users sign in with their corporate credentials. This eliminates the need for separate Lift passwords entirely.

Supported Providers

Provider Protocol Tier
Okta OIDC [Dedicated] [Enterprise]
Azure AD (Entra ID) OIDC [Dedicated] [Enterprise]
Google Workspace OIDC [Dedicated] [Enterprise]
Any OIDC-compliant provider OIDC [Dedicated] [Enterprise]
Any SAML 2.0 provider SAML [Enterprise]

OIDC Setup

To connect an OIDC provider:

  1. Go to Settings > SSO in the portal
  2. Click Add Identity Provider
  3. Select your provider (or choose "Custom OIDC")
  4. Enter the following details from your provider's admin console:
    • Client ID --- The application/client ID
    • Client Secret --- The application secret
    • Discovery URL --- Your provider's .well-known/openid-configuration URL
  5. Click Test Connection to verify the configuration
  6. Click Enable to activate SSO

Once enabled, users see a Sign in with [Provider Name] button on the login page.

SAML Configuration

[Enterprise]

For organizations that require SAML 2.0:

  1. Go to Settings > SSO in the portal
  2. Click Add Identity Provider and select SAML 2.0
  3. Provide:
    • Entity ID --- Your SAML IdP entity ID
    • SSO URL --- The IdP's single sign-on service URL
    • Certificate --- Your IdP's signing certificate (X.509 PEM format)
  4. Download the Lift Service Provider metadata to configure the trust relationship in your IdP
  5. Map the required attributes:
    • email (required)
    • firstName (required)
    • lastName (required)
  6. Test and enable the connection

Auto-Provisioning

When external SSO is enabled, you can optionally turn on auto-provisioning. This means:

  • When a user from your identity provider signs in for the first time, a Lift account is automatically created for them
  • They are assigned the Browser role by default (an Admin can change this later)
  • If auto-provisioning is off, users must be explicitly invited before they can sign in

Auto-provisioning is controlled from Settings > SSO > Auto-Provisioning.

Multi-Factor Authentication

Lift supports multi-factor authentication (MFA) through Keycloak. Users can enable MFA on their account by:

  1. Signing into the portal
  2. Going to Account > Security
  3. Clicking Enable MFA
  4. Scanning the QR code with an authenticator app (Google Authenticator, Authy, etc.)

On [Enterprise] tiers, Admins can enforce MFA for all users in the organization from Settings > Security.

Troubleshooting

"Access Denied" after SSO setup

Make sure the user's email address in your identity provider matches the email on their Lift invitation. Email matching is case-insensitive.

Session expired unexpectedly

If users report frequent session timeouts, check that your identity provider's session duration aligns with Lift's session settings. A shorter IdP session can cause unexpected sign-outs.

Users cannot see the external SSO button

The external SSO button only appears after the identity provider is enabled in Settings > SSO. Verify the connection status shows "Active."