What you'll learn:

How to configure SSO in Uptick using your identity provider
Step-by-step instructions for Azure Active Directory and Google Workspace setup
Important security considerations and troubleshooting tips

Overview

Single Sign-On (SSO) allows your team to access Uptick using your organization's identity provider, such as Microsoft Azure AD, Microsoft ADFS, or Google Workspace. This provides enhanced security and a seamless login experience across both the Uptick Web Platform and Uptick App.

Why use SSO?

Centralized authentication through your existing identity provider
Leverage enterprise-grade security features (including 2FA/MFA from your provider)
Simplified user management
Consistent access control across all applications

Important: Uptick logs all invalid login attempts and implements automatic account lockouts and exponential backoff to prevent brute force attacks.

Before You Begin

Who can set this up?

System administrators with access to both Uptick's Control Panel and your identity provider (Azure AD, ADFS, Google Workspace, etc.)

Prerequisites:

Admin access to Control Panel > Security > Single sign-on in Uptick
Admin access to your identity provider
If you are using Google Workspace, make sure you can create a custom SAML app in Google Admin Console and map user attributes manually
If setting up SSO for a sandbox environment, you'll need a separate SSO configuration with unique URLs and certificates (you cannot reuse your production SSO setup)

Step 1: Configure SSO in Uptick

In the Uptick Web Platform, navigate to Control Panel > Security > Single sign-on
You'll see Step 1 with three URLs that you'll need to provide to your identity provider:
- Metadata URL (also called Entity ID or Issuer URL)
- Success URL (also called Reply URL or Assertion Consumer Service URL)
- Login URL (also called Sign-on URL)
Keep this page open—you'll return here to complete Step 2 after configuring your identity provider

Step 2: Configure Your Identity Provider

For Azure Active Directory (Azure AD)

A. Basic SAML Configuration (in Azure)

In your Azure AD portal, create a new enterprise application and configure the SAML settings:

Azure AD Field	Use This Value from Uptick (Step 1)
Identifier (Entity ID)	Metadata URL
Reply URL (Assertion Consumer Service URL)	Success URL
Sign-on URL	Login URL

B. Download the Certificate (in Azure)

In Azure AD, navigate to SAML Signing Certificate (Step 3 in Azure setup)
Download the Certificate (Base64)
Open the certificate file and copy its entire contents (you'll paste this into Uptick in the next step)

C. Copy Azure AD URLs (in Azure)

In the Set up section (Step 4 in Azure setup), copy these two values:

Login URL
Azure AD Identifier

For Google Workspace

A. Service Provider Details (in Google Admin Console)

When creating your custom SAML app in Google Admin Console, enter these values:

Google field	Value
ACS URL	`https://[customer].onuptick.com/saml/[customer]/complete-login/`
Entity ID	`https://[customer].onuptick.com/saml/[customer]/metadata/`
Name ID format	`EMAIL`
Name ID	`Basic Information > Primary email`

B. Attribute Mappings (Critical)

Important: Google Workspace does not send name attributes by default. You must map these attributes manually or users may see a "Name not present in claims" error when signing in.

Use one of the following options.

Option 1: Map first and last name

Google Directory Attribute	App Attribute (claim name)
First name	`firstName`
Last name	`lastName`

Option 2: Map full name

Google Directory Attribute	App Attribute
Full Name	`displayName`

Optional: Auto-assign licence type in Uptick

Google Directory Attribute	App Attribute
Custom attribute / group	`license`

The value sent for license must be exactly DESK or FIELD.

C. Copy Google Workspace SSO Details

The customer will need to provide Uptick with the following details from Google Workspace:

SSO URL
Entity ID / Issuer
X.509 Certificate
Whitelisted domain(s) such as
mycompany.com

The most common failure point is missing the attribute mappings in Step 2B, so make sure these are added in Google Admin Console before testing sign-in.

Step 3: Complete SSO Configuration in Uptick

Return to Control Panel > Security > Single sign-on in Uptick and complete Step 2:

Field	What to Enter
Identity Provider	Automatically populated—only change if using multiple Uptick workspaces with one identity provider
Single sign-on URL	Paste the SSO URL from your identity provider
Metadata URL	Paste the Entity ID / Issuer from your identity provider
Certificate	Paste the complete contents of the Base64 certificate you downloaded from Azure AD
Whitelisted domains	Enter a comma-separated list of email domains allowed to sign in with SSO (e.g., `yourcompany.com, yourcompany.com.au` )
Require staff to log in with the identity provider	Check this box to enforce SSO for all users. Important: Test thoroughly before enabling this option. If enabled, all Field and Desk users must use SSO—there are currently no exemptions for admin accounts.

Click Save

Step 4: Test and Roll Out

Testing SSO

Before enforcing SSO, test with a few users to ensure they can successfully log in
Have test users sign out of the Uptick Web Platform and Uptick App completely
Test users should sign back in—they'll be redirected to your identity provider for authentication

For Mobile App Users

If SSO is enabled after users are already signed into the Uptick App:

Open the Uptick App
Tap About > Sign Out
Sign back in using the SSO option

Enforcing SSO

Once testing is successful, you can check the "Require staff to log in with the identity provider" option to enforce SSO for all users.

⚠️ Important: If you enable this option and encounter issues, contact Uptick Support immediately at [email protected] for assistance.

Troubleshooting

Common Issues

"Login credentials failed (400)" error

Ensure you're signed into your Microsoft/Google account first
Verify the SSO configuration matches exactly between Uptick and your identity provider
For mobile app users: Sign out completely and sign back in

"Name not present in claims" error

This usually means the required Google Workspace attribute mappings have not been added
In Google Admin Console, make sure you map either:
- First name to firstName and Last name to lastName, or
- Full Name to displayName
Save the mapping changes and test sign-in again

"AADSTS75011: Authentication method doesn't match" error

This typically occurs with Windows Hello authentication
Contact Uptick Support—this may require configuration adjustments on Uptick's side

SSO not working in sandbox environment

Sandbox and production environments require separate SSO configurations
You cannot reuse certificates or URLs between environments
Set up a dedicated Azure AD application for your sandbox

Users locked out after enabling "Require staff to log in with identity provider"

Contact Uptick Support immediately at [email protected]
We can assist with disabling the requirement if needed

Security Information

Uptick implements multiple security measures to protect your account:

Automatic account lockout after repeated failed login attempts
Exponential backoff to prevent brute force attacks
Login tracking with IP addresses for audit purposes (available in Control Panel > Security > Account Device Audit for the past 14 days)

When using SSO, authentication security is managed by your identity provider (Microsoft, Google, etc.), allowing you to leverage their enterprise-grade security features including multi-factor authentication (MFA).