SAML single sign on
askSpoke is excited to offer SAML-based Single Sign on (SSO) to organizations on our Plus plans! To enable this you need to be an askSpoke admin. If you are also a company IdP admin, we can get started! If not, you will need to coordinate with whoever manages your identity provider (IdP). Several providers have pre-built SAML integrations with askSpoke. Please see Okta and OneLogin and Gsuite specific help articles.
askSpoke's SAML integration relies on a user level token. To insure consistent delivery of SAML services we recommend using an admin service account such as IT@yourcompany.com.
Before you begin
- After SAML is enabled, all non-admin members in askSpoke must log in with SAML. Admins who have not setup a password will be prompted to with a banner in the web app. Admins can still log in with a password as needed.
- Because the SSO setup will log out all users and admins, it’s best to setup SAML when there are few users logged in. Whether it be before launch, or out of business hours.
- Only askSpoke Admins have the superpowers to enable SAML for the organization.
- askSpoke offers just in time provisioning. This means that if a user logs into askSpoke for the first time using SSO, an account will automatically be created.
Configure your IdP
Begin by logging into askSpoke and navigating to Settings > Integrations and look for the SAML card. You will find two pieces of information that are unique to your organization. Look for the the Assertion Customer Service (ACS) URL and the Issuer URL. Paste the information into the corresponding fields in your IdP.
Fill out the remaining fields in your IdP
Admins can choose to map attributes that will send user information to askSpoke. This allows askSpoke to get user information for provisioning users. Best practices recommend that these attributes are mapped in addition to Name ID (Email Address).
Connect your IdP to askSpoke
Now that you’ve configured your IdP, askSpoke Admins need to connect the IdP to askSpoke.
- Navigate to Settings
- Select the Integrations Menu
- Find the SAML tile and choose Connect
Copy the following fields from your IdP setup page into the askSpoke Settings/SAML Page. Your IdP may name these fields differently. We’ve compiled some additional naming examples below.
- Sign on URL: SSO URL, SAML 2.0 URL, SAML 2.0 endpoint, IdP login URL.
- Issuer: Issuer URL, Identity Provider, Identity Provider Entity ID, IdP Metadata URL.
- Public certificate: X.509 certificate, certificate.
- Upload a CSV of users into askSpoke after you've turned on SAML. This helps provide a frictionless experience as users log in the first time. for more information on our CSV import, click here.
- askSpoke offers "Just in time" provisioning. If a user logs into askSpoke for the first time using SSO, an account will automatically be created. (If that email address does not already exist in askSpoke)
- Please insure that the email addresses in the IDP are what your users will be using to log into askSpoke.
If you are having issues connecting your IdP with askSpoke, check the fields to make sure that they are filled out correctly. If there is an issue, askSpoke will tell you which field is incorrect or empty with red text beneath the field.