SAML single sign on
Spoke is excited to offer SAML-based Single Sign on (SSO) to organizations on our Plus plans! To enable this you will need to be a Spoke admin. If you are also a company IdP admin, we can get started! If not, you will need to coordinate with whoever manages your identity provider (IdP).Several providers have pre-built SAML integrations with Spoke. Please see Okta and OneLogin and Gsuite specific help articles.
Before you begin
- After SAML is enabled, all non-admin members in Spoke must log in with SAML. Admins who have not setup a password will be prompted to with a banner in the web app. Admins can still log in with a password as needed.
- Because the SSO setup will log out all users and admins, it’s best to setup SAML when there are few users logged in. Whether it be before launch, or out of business hours.
- Only Spoke Admins have the superpowers to enable SAML for the organization.
- Spoke offers just in time provisioning. This means that if a user logs into Spoke for the first time using SSO, an account will automatically be created.
Configure your IdP
Begin by logging into Spoke and navigating to "Settings" > "SAML." You will find two pieces of information that are unique to your organization. Look for the the Assertion Customer Service (ACS) URL and the Issuer URL. Paste the information into the corresponding fields in your IdP.
Fill out the remaining fields in your IdP
Admins can choose to map attributes that will send user information to Spoke. This allows Spoke to get user information for provisioning users. Best practices recommend that these attributes are mapped in addition to Name ID (Email Address).
Connect your IdP to Spoke
Now that you’ve configured your IdP, Spoke Admins need to connect the IdP to Spoke. Copy the following fields from your IdP setup page into the Spoke Settings/SAML Page. Your IdP may name these fields differently. We’ve compiled some additional naming examples below.
- Sign on URL: SSO URL, SAML 2.0 URL, SAML 2.0 endpoint, IdP login URL.
- Issuer: Issuer URL, Identity Provider, Identity Provider Entity ID, IdP Metadata URL.
- Public certificate: X.509 certificate, certificate.
- Invite users upfront. While this seems redundant, we find that it's best if you invite all the users before turning on SAML.
- Spoke offers "Just in time" provisioning. If a user logs into Spoke for the first time using SSO, an account will automatically be created. (If that email address does not already exist in Spoke)
- Please insure that the email addresses in the IDP are what your users will be using to log into Spoke.
If you are having issues connecting your IdP with Spoke, check the fields to make sure that they are filled out correctly. If there is an issue, Spoke will tell you which field is incorrect or empty with red text beneath the field.