Skip to content
Conflixis Partner Docs

SSO overview

Conflixis is a SaaS platform for managing conflicts of interest in healthcare compliance. Administrators sign in to the admin app at client.conflixis.com. Single sign-on (SSO) lets your users authenticate with their existing identity provider instead of managing a separate Conflixis password.

Conflixis runs a single, production-only environment — there is no separate non-prod tenant for customer SSO testing. SSO is validated directly in production with a small set of pilot users before broader rollout.

Supported sign-in methods

Section titled “Supported sign-in methods”

The admin app supports three sign-in methods:

  • Generic OIDC — your users sign in against any standards-compliant OpenID Connect identity provider. Each customer creates an OIDC application in their own IdP admin console and shares its credentials with Conflixis. Compatible providers include Okta, Auth0, Ping Identity, Keycloak, OneLogin, JumpCloud, and ForgeRock, among others — anything that supports the OIDC Authorization Code flow and a standard discovery document.
  • Google Workspace (OAuth 2.0 / OIDC) — your users sign in with their Google work account.
  • Email and password — a fallback for users who can't use SSO (for example, third-party reviewers).

Each Conflixis customer organization has its own OIDC configuration; users from your tenant sign in against your tenant, not a shared one.

Provisioning and identity matching

Section titled “Provisioning and identity matching”

Users must be pre-provisioned by a Conflixis administrator before their first sign-in. Accounts are created in the Conflixis admin app, either individually or in bulk via CSV import. Signing in via SSO does not auto-create a user; it links the IdP identity to a user record that already exists.

Conflixis identifies users by their email address. On first sign-in:

  1. Your identity provider returns the user's email, display name, and a stable subject identifier.
  2. Conflixis looks up the email in your workspace and links the IdP identity to that user record.
  3. Subsequent sign-ins reuse the link — the user lands directly in the app.

If the email isn't found, sign-in is rejected and the user is told to contact their Conflixis administrator. The same email cannot belong to two users in your workspace, so the linkage is unambiguous.

If a user's email changes in your IdP, ask your Conflixis administrator to update the corresponding user record so subsequent sign-ins re-link cleanly. Conflixis does not read or use IdP groups for role assignment — roles are managed inside the Conflixis admin app.

Launching from your SSO portal

Section titled “Launching from your SSO portal”

Conflixis uses OAuth 2.0 / OIDC, not SAML, so it cannot be configured as a fully IdP-initiated SAML application in launchers like Okta. The recommended pattern is a link / bookmark tile that points users at the Conflixis sign-in page; from there, the user's existing IdP session completes the redirect transparently.

  • Okta, Auth0, Ping, JumpCloud, OneLogin, and other OIDC launchers — add whichever "bookmark", "linked", or "web link" app type the launcher offers, with the URL https://client.conflixis.com/. Assign it to the same group(s) of users you would have used for a SAML app.
  • Google Workspace — add a custom web app under Apps → Web and mobile apps → Add app → Add custom web app pointing at https://client.conflixis.com/. It will then surface in the Google Apps launcher for assigned users.

Because the user still lands on our sign-in page first, the experience is one click only when their browser already has a live session with the IdP. The very first sign-in (and any subsequent sign-in after the IdP session expires) will show the IdP's normal authentication prompt, and — if admin consent has not been pre-granted — the standard IdP consent screen.

Deprovisioning

Section titled “Deprovisioning”

Today, removing a user's access to Conflixis is done in the Conflixis admin app. Disabling the user in your IdP prevents them from completing a new sign-in but does not on its own revoke an existing Conflixis session or account. We recommend revoking the user in Conflixis as part of your offboarding checklist; SCIM-driven automated deprovisioning is on the roadmap.

What's next

Section titled “What's next”
  • OIDC SSO setup — how to register Conflixis as an OIDC application in any standards-compliant identity provider (Okta, Auth0, Ping, Keycloak, and others) and share the credentials with Conflixis.