SAML single sign on
Spoke is excited to offer SAML-based Single Sign on (SSO) to organizations on our Plus plans! To enable this you need to be a Spoke admin. If you are also a company IdP admin, we can get started! If not, you will need to coordinate with whoever manages your identity provider (IdP). Several providers have pre-built SAML integrations with Spoke. Please see Okta and OneLogin and Gsuite specific help articles.
Spoke's SAML integration relies on a user level token. To insure consistent delivery of SAML services we recommend using an admin service account such as IT@yourcompany.com.
Before you begin
- After SAML is enabled, all non-admin members in Spoke must log in with SAML. Admins who have not setup a password will be prompted to with a banner in the web app. Admins can still log in with a password as needed.
- Because the SSO setup will log out all users and admins, it’s best to setup SAML when there are few users logged in. Whether it be before launch, or out of business hours.
- Only Spoke Admins have the superpowers to enable SAML for the organization.
- Spoke offers just in time provisioning. This means that if a user logs into Spoke for the first time using SSO, an account will automatically be created.
Configure your IdP
Begin by logging into Spoke and navigating to Settings > Integrations and look for the SAML card. You will find two pieces of information that are unique to your organization. Look for the the Assertion Customer Service (ACS) URL and the Issuer URL. Paste the information into the corresponding fields in your IdP.
Fill out the remaining fields in your IdP
Admins can choose to map attributes that will send user information to Spoke. This allows Spoke to get user information for provisioning users. Best practices recommend that these attributes are mapped in addition to Name ID (Email Address).
Connect your IdP to Spoke
Now that you’ve configured your IdP, Spoke Admins need to connect the IdP to Spoke.
- Navigate to Settings
- Select the Integrations Menu
- Find the SAML tile and choose Connect
Copy the following fields from your IdP setup page into the Spoke Settings/SAML Page. Your IdP may name these fields differently. We’ve compiled some additional naming examples below.
- Sign on URL: SSO URL, SAML 2.0 URL, SAML 2.0 endpoint, IdP login URL.
- Issuer: Issuer URL, Identity Provider, Identity Provider Entity ID, IdP Metadata URL.
- Public certificate: X.509 certificate, certificate.
- Upload a CSV of users into Spoke after you've turned on SAML. This helps provide a frictionless experience as users log in the first time. for more information on our CSV import, click here.
- Spoke offers "Just in time" provisioning. If a user logs into Spoke for the first time using SSO, an account will automatically be created. (If that email address does not already exist in Spoke)
- Please insure that the email addresses in the IDP are what your users will be using to log into Spoke.
If you are having issues connecting your IdP with Spoke, check the fields to make sure that they are filled out correctly. If there is an issue, Spoke will tell you which field is incorrect or empty with red text beneath the field.