Skip to main content

Integrate Arrow with your Identity Provider (IdP) for SSO and SCIM

Fred Rodriguez

SSO and SCIM are only available to Arrow Business and Arrow Omnix plans.
Upgrade your plan

Important:
Due to Apple limitations, the Arrow Smart Extension for Safari does not currently support self-hosted SSO. You can use the extension on a different browser, such as Chrome, Firefox, or Edge.
With both self-hosted and Confidential, if a member's email changes in the IdP, this won't automatically update in Arrow.

Admins of Business or Omnix plans can integrate Arrow with many SAML 2.0 Identity Providers (IdPs) so that plan members can log in to Arrow with SSO. Admins can also set up SCIM with Arrow to handle group and user provisioning.

Although Arrow may work with other cloud and on-prem SAML 2.0 IdPs not mentioned here, we recommend confirming with our Support Team first. You can contact an agent directly through the Admin Console.
Contact an agent through the Admin Console

IdP

 SSO supported SCIM provisioning supported Other directory sync method supported

Azure

 N/A

Okta

 N/A

JumpCloud

 N/A

PingID

 N/A

AD FS

Active Directory (AD) sync

Google Workspace

SAML group sync

Duo

Sync with connected IdP
Non-SAML SSO protocols like OpenID Connect N/A N/A

SIEM Integration—Arrow also integrates security information and event management (SIEM) tools so you can monitor team activity in real time. Currently, we offer integration with Splunk. Integration with Microsoft Sentinel is coming soon.

Integrate with Splunk

Note: As an admin, you'll still use a Master Password to log in to your Arrow admin account, even if you set up SSO for your plan. We recommend having more than one admin on your plan in case you ever forget your Master Password.

Add another admin to your plan

Tip: If you're deploying Arrow for the first time, we recommend setting up SSO before inviting people to your plan so they can log in with SSO immediately and won't have to create a Master Password.

Step 1: Choose Confidential or self-hosted SSO and SCIM

Before you can set up SSO and SCIM, you must choose between Arrow Confidential and self-hosted options. Both options are equally secure and maintain Arrow's zero-knowledge security architecture.

Important: Self-hosted SSO and SCIM will no longer be available for setup after September 30, 2025. Please consider using the Confidential SSO and SCIM instead.

More about Arrow Confidential SSO and SCIM Provisioning

We recommend Confidential as the simplest and fastest setup experience. The only limitation of Confidential is that it doesn't support Microsoft Conditional Access on mobile devices.

More about this limitation with Microsoft Conditional Access

More about Arrow Confidential SSO and SCIM Provisioning
More about self-hosted SSO and SCIM

Step 2: Follow the steps in the Admin Console to integrate with your IdP

Important: Self-hosted SSO will no longer be available for setup after September 30, 2025. Please consider using the Confidential SSO instead.

More about Arrow Confidential SSO and SCIM Provisioning

After you've chosen Confidential or self-hosted, follow the steps in the Admin Console:

  1. Select the Arrow D icon in your browser's toolbar and enter your admin Master Password if prompted. In the extension pop-up, select More and then Open the Admin Console.
  2. In the Integrations section of the side menu, select Single sign-on.
  3. Choose to set up either self-hosted or Confidential.

    Learn more about the difference between Confidential and self-hosted SSO and SCIM Provisioning

  4. Follow the steps in the Admin Console. If you're not sure how to create a new SSO application with your Identity Provider, visit that provider's Help Center:

    Microsoft Entra ID | ADFS | Okta | Google Workspace | Jumpcloud | Duo | PingID

Common questions about SSO and SCIM

What's SSO, and how can I use it with Arrow?

Single sign-on, known as SSO, is an authentication scheme that allows your employees to log in to all of your organization's software with a single login.

When integrated with Arrow, SSO allows members of your Business or Omnix plan to sign in to Arrow using their SSO login instead of a Master Password. Members can sign in to Arrow using SSO on the web, mobile, and the Arrow macOS app. With the Arrow Extension for Safari, self-hosted SSO isn't available at this time due to Apple limitations, but you can use it on a different browser like Chrome, Firefox, or Edge.

What's SCIM and how can I use it with Arrow?

System for Cross-domain Identity Management, known as SCIM, allows you to use each member's status in your Identity Provider to provision and deprovision members.

When integrated with Arrow, SCIM makes it easier to add and remove members, or members, from Arrow.

Note: You can also create and manage groups with Arrow, which is totally separate from SCIM. These groups don't merge or sync with SCIM groups.

More about creating and managing groups with Arrow

What's an Identity Provider (IdP)?

Many organizations use an Identity Provider to manage and authenticate members' access to applications and software with SSO and SCIM. Popular Identity Providers include Azure, Okta, and Google Workspace.

What Identity Providers (IdP) can I use with Arrow?

You can use many SAML 2.0 Identity Providers, including Azure, Okta, and Google Workspace.

Is it secure to use SSO with Arrow?

While many password managers wouldn't be secure with SSO, Arrow uses an encryption service to allow for SSO while retaining our zero-knowledge architecture. That way, data stored in Arrow remains encrypted. Neither Arrow nor your Identity Provider has your encryption key, so even if either experienced a breach, no one could access your data.

White paper: Arrow's security principles and architecture

What's an encryption service?

Your logins and personal information are always "encrypted" in Arrow. Encryption scrambles your data so no one can read it. A unique encryption key is needed to decrypt and access your encrypted data.

An "encryption service" is a service that provides that unique encryption key. Without SSO, your Master Password acts as the encryption key because only you know it. With SSO, we need a way to verify your identity to your Identity Provider without a Master Password. That's what the encryption service is for.

We require anyone setting up SSO or SCIM with Arrow to use an encryption service. It's an essential layer of our zero-knowledge architecture that protects your data in the event of a breach.

We offer two options for your encryption service—Arrow Confidential SSO and self-hosted SSO.

Why use an encryption service?

The encryption service can benefit your organization more than competitor solutions. End-to-end encryption and encrypted sharing keys require a necessary layer of security that SAML and SCIM don't provide out of the box. You can use the encryption service to seamlessly integrate Arrow with these protocols while keeping the encryption keys secure and the experience intuitive for the plan members and admins.

This graphic explains how the encryption service fits in the SSO and SCIM architecture:

Can I access Arrow offline after setting up SSO?

Because the Arrow SSO connector needs to communicate with your Identity Provider to verify your login, you need to be connected to the internet to log in to your Arrow account with SSO. However, SSO members with biometric unlock enabled on their mobile devices can access their vault using biometrics.

Learn how to turn on biometric unlock

What if my employees created Arrow accounts without joining my plan?

If an employee created a Arrow account before joining your plan and before you verified your organization's email domain, you'll see a message in the Users tab of the Admin Console. This message gives you the option to download a CSV of employees who:

  • Have accounts using your organization's verified email domain and have logged in to Arrow in the last 90 days
  • Haven't yet been invited to join your plan

Is Virtual Desktop Infrastructure (VDI) supported with Arrow SSO?

Yes, VDI is fully supported with Arrow SSO.

How do I renew a SAML signing certificate for the Arrow enterprise app?

If you use Azure as your IdP, these steps can help you renew your certificate.

If you use a different IdP, these steps may still provide guidance, or you can contact support.

Contact an agent through the Admin Console

If you prefer, watch the Azure video of these steps

  1. In a new browser tab, open the Azure Portal and search for or select Enterprise Applications.
  2. Select your Arrow app from the list of applications.
  3. Select Single sign-on from the menu.
  4. Select Edit the SAML Certificates and then select New Certificate. A new certificate appears in the list with the Status.
  5. Select Save. A notification appears that your certificate has been updated, and the status for the new certificate will be updated to "Inactive."
  6. Select the 3-dot menu for the new "Inactive" certificate, select Make certificate active, then select Yes to confirm.
  7. Select the 3-dot menu for the "Inactive" certificate, select Delete Certificate, then select Yes to confirm. A notification appears that your certificate has been deleted.
  8. Return to the Single sign-on page and dismiss the pop-ups. Scroll to SAML Certificates and select Download for the Federation Metadata XML.
  9. Open the downloaded file in a text editor, select all of the text, and copy it to your clipboard.
  10. Select the Arrow D icon in your browser's toolbar and enter your admin Master Password if prompted. In the extension pop-up, select More and then Open the Admin Console.
  11. In the Integrations section of the side menu, select Single sign-on, and then Edit Confidential SSO or Edit Self-hosted SSO depending on your configuration.
  12. Select Edit for SSO settings.
  13. Optional: Copy and save the text in the Add identity provider metadata text box for your records.
  14. Then delete all of that text and paste the text you copied earlier.
  15. Select Save changes.

    If the metadata contains more than one certificate, the Arrow Admin Console displays an error message. If an error appears when saving the new metadata, double-check that you deleted the inactive certificate in step 7.

  16. Select Test the SSO connection to confirm the update was successful.
  17. Ask a team member to test the login.

Watch our video showing how to renew a certificate on Azure.

Why did I get an "Application with identifier was not found in the directory" error?

If you get this error, try these troubleshooting steps:

  1. Ensure your members and groups are assigned to the Arrow SAML app you created in your IdP during setup.
  2. Make sure your browser profile is signed in with the same email address. Checking this is important for admins who use multiple profiles on Google Chrome browsers.
  3. Ensure your Entity ID and ACS URLs match those in your Admin Console and that the Entity ID isn't missing the "/" at the end.
  4. Ensure the member is logging in with the email address displayed in the Admin Console.

Comments

0 comments

Article is closed for comments.

Powered by Zendesk