SAML single sign on
atSpoke is excited to offer SAML-based Single Sign on (SSO) to organizations! To enable this you need to be an atSpoke admin. If you are also a company IdP admin, we can get started! If not, you will need to coordinate with whoever manages your identity provider (IdP). Several providers have pre-built SAML integrations with atSpoke. Please see Okta and OneLogin and Gsuite specific help articles.
atSpoke's SAML integration relies on a user level token. To insure consistent delivery of SAML services we recommend using an admin service account such as IT@yourcompany.com.
Before you begin
- After SAML is enabled, all non-admin members in atSpoke must log in with SAML. Admins who have not setup a password will be prompted to with a banner in the web app. Admins can still log in with a password as needed.
- Because the SSO setup will log out all users and admins, it’s best to setup SAML when there are few users logged in. Whether it be before launch, or out of business hours.
- Only atSpoke Admins have the superpowers to enable SAML for the organization.
- atSpoke offers just in time provisioning. This means that if a user logs into atSpoke for the first time using SSO, an account will automatically be created.
Configure your IdP
Begin by logging into atSpoke and navigating to Settings > Integrations and look for the SAML card. You will find two pieces of information that are unique to your organization. Look for the the Assertion Customer Service (ACS) URL and the Issuer URL. Paste the information into the corresponding fields in your IdP.
Fill out the remaining fields in your IdP
Admins can choose to map attributes that will send user information to atSpoke. This allows atSpoke to get user information for provisioning users. Best practices recommend that these attributes are mapped in addition to Name ID (Email Address).
Connect your IdP to atSpoke
Now that you’ve configured your IdP, atSpoke Admins need to connect the IdP to atSpoke.
- Navigate to Settings
- Select the Integrations Menu
- Find the SAML tile and choose Connect
Copy the following fields from your IdP setup page into the atSpoke Settings/SAML Page. Your IdP may name these fields differently. We’ve compiled some additional naming examples below.
- Sign on URL: SSO URL, SAML 2.0 URL, SAML 2.0 endpoint, IdP login URL.
- Issuer: Issuer URL, Identity Provider, Identity Provider Entity ID, IdP Metadata URL.
- Public certificate: X.509 certificate, certificate.
- Upload a CSV of users into atSpoke after you've turned on SAML. This helps provide a frictionless experience as users log in the first time. for more information on our CSV import, click here.
- atSpoke offers "Just in time" provisioning. If a user logs into atSpoke for the first time using SSO, an account will automatically be created. (If that email address does not already exist in atSpoke)
- Please insure that the email addresses in the IDP are what your users will be using to log into atSpoke.
If you are having issues connecting your IdP with atSpoke, check the fields to make sure that they are filled out correctly. If there is an issue, atSpoke will tell you which field is incorrect or empty with red text beneath the field.