Skip to main content

Set Up Single Sign-On (SSO) in Rhythms

Step-by-step guide for admins to set up SSO in Rhythms for secure, simple access using your organization’s credentials.

Updated over 2 months ago

Introduction

This guide provides step-by-step instructions for setting up Single Sign-On (SSO) in Rhythms, a key component of our enterprise-grade identity management framework. SSO enables your team to log in securely using corporate credentials, enhancing security and simplifying access across your organization.

Whether you’re an IT administrator configuring the system or a user logging in, Rhythms ensures a seamless and secure experience. Follow this guide to implement SSO and explore how it integrates with your organization’s identity provider (IdP) for efficient user management.

What is SSO in Rhythms?

SSO lets your team log in to Rhythms using their existing corporate credentials through your IdP, such as Okta, Microsoft Entra ID, CyberArk, Google Workspace, or Auth0. Once enabled, all users with your email domain (e.g., @yourcompany.com) must authenticate via the IdP, ensuring consistent security policies and streamlined access.

Benefits of SSO

  • Enhanced Security: Reduces password fatigue and enforces IdP policies, like multi-factor authentication (MFA).

  • Simplified Access: One set of credentials for users to remember, making login quick and easy.

  • Streamlined Management: Admins manage access centrally through the IdP, reducing manual effort.

Prerequisites for SSO Setup

Before starting:

  • You must be a Rhythms Administrator to access the admin interface and initiate SSO setup.

  • You must also be an IdP Administrator to configure the identity provider settings. An IdP Administrator is someone with administrative access to your organization’s Identity Provider, such as an IT team member who manages Okta, Microsoft Entra ID, Google Workspace, or Auth0.

    • If you’re not an IdP Administrator, Please share the IdP admin with Rhythms and have Rhythms send the URL directly to your IdP Administrator to set up SSO.

  • Your IdP must be supported (e.g., Okta, Entra ID, Google Workspace, etc.).

Note: SSO setup is powered by WorkOS.

How to Set Up SSO

Access the Admin Interface

Log in with your Rhythms admin credentials. To begin, access the admin interface in Rhythms by clicking on the Settings menu option

Select SSO Setup

After clicking on the Settings option, proceed by selecting Security. After selecting the Security menu, you can proceed to configuration using the SSO setup options available in Rhythms. Rhythm supports multiple SSO providers, including Okta, Entra ID, Google Workspace, and more.

Selecting Your Identity Provider

Rhythms seamlessly integrates with leading identity providers to ensure compatibility with your organization’s setup. Supported providers include:

  • Google Workspace

  • Microsoft Entra ID (formerly Azure AD)

  • Okta

  • CyberArk SAML

  • Auth0
    From the list displayed in the setup interface, select your organization’s identity provider to proceed with the configuration.

Configuring Your Identity Provider

Each identity provider requires specific setup steps, which are tailored to ensure a secure connection with Rhythms. Follow the instructions in the setup wizard, which may include:

  • Registering Rhythms as a trusted application in your identity provider’s admin console.

  • Configuring SSO URLs and exchanging metadata between Rhythms and your IdP.

  • For detailed, provider-specific instructions, refer to the documentation links provided in the setup interface. Setup Interfaces for Okta and Entra ID are provided below for reference.

Okta Setup Interface

Okta SSO Configuration wizard - Detailed instructions here

Entra ID Setup Interface

CyberArk SAML Setup Interface

Testing the SSO Configuration

After configuration, verify that SSO is working correctly:

  • Log out of your current session in Rhythms by clicking on the sign out option in Rhythms menu by clicking on your name.

  • Attempt to log in again using your corporate email address.

  • If set up correctly, you’ll be redirected to your IdP’s login page for authentication.

  • Upon successful authentication, you’ll be seamlessly logged into Rhythms.
    💡 Note: If you’re already authenticated with your IdP (e.g., in another browser session), you’ll be automatically logged into Rhythms without additional prompts.

Note: Enabling SSO ends all active sessions. Users must re-authenticate via the IdP.

User Experience with SSO

Once SSO is active:

  1. Login Process

    • Users go to app.rhythms.ai and enter their corporate email.

    • They’re redirected to the IdP login page.

    • After authentication, they land on the Rhythms dashboard.

  2. Session Management

    • Active SSO sessions allow instant access.

    • Sessions expire after 24 hours of inactivity, requiring re-login.

    • Users can log out manually via Rhythms.

  3. First-Time Login

    • Existing users finish their current session (up to 24 hours) before SSO kicks in.

    • All domain users must use SSO thereafter.

Tip: Enable multi-factor authentication (MFA) via your IdP for extra security.

Best Practices for SSO Setup

  • Enable MFA for Added Protection: Configure multi-factor authentication (MFA) in your IdP to add an extra layer of security, protecting against unauthorized access if credentials are compromised.

  • Prepare Users for the Transition: Notify your team in advance about the SSO rollout, explaining that they’ll need to log in via the IdP and may experience a brief logout during the switch. Provide a support contact for questions.

  • Test for Common Issues: Pilot the SSO setup with a small group, checking for issues like IdP redirection failures, login errors, or session timeouts, to ensure a smooth rollout for all users.

  • Monitor IdP Logs: Regularly check your IdP’s logs for authentication failures or errors after enabling SSO, allowing you to quickly troubleshoot and resolve issues.

Frequently Asked Questions (FAQ)


Q: Which IdPs are supported for SSO in Rhythms?
A: Rhythms supports major providers like Okta, Microsoft Entra ID, Google Workspace, and Auth0. Check the setup wizard for the full list. If your IdP isn’t supported, contact Rhythms support to explore options.

Q: What happens if I’m not an IdP Administrator?
A: Share the IdP admin details with Rhythms, and we’ll send the setup URL directly to your IdP Administrator to complete the configuration.

Q: I'm getting "Sorry the account you are signing in from doesn't have access to the product" with SSO - what should I do?

A: This error typically occurs for two main reasons:

  • Email attribute mismatch: The email address from your SAML email claim field doesn't match the email address in the user's Rhythms account. Rhythms uses the email field from your SAML assertion to identify users.

  • User doesn't exist: The user hasn't been added to Rhythms yet, or their email in Rhythms doesn't match what Entra ID is sending in the email claim

To resolve:

  • The email address in your SAML email claim field must exactly match the email address in the user's Rhythms profile. Update your SAML attribute mapping to address the mapping issue.

  • If the user is missing in Rhythms, manually add the missing user.

  • If the issue is still not resolved, please contact Rhythms support with your SAML response log

Q: How do I know if SSO is working?
A: Test by logging out and logging in with your corporate email. You should be redirected to your IdP’s login page and seamlessly logged into Rhythms upon authentication.

Q: What should I set up after SSO?
A: Consider enabling SCIM for automated user provisioning and configuring RBAC for role-based permissions. See the Enterprise Identity Management overview for more details.

Did this answer your question?