Skip to main content
Answered

Better SSO

  • August 2, 2023
  • 1 reply
  • 1805 views

Curious if anyone’s had good luck with a better SSO implementation & intercom? 

Best answer by Racheal

Hey @Emil A 

 

You can definitely integrate with an identity provider and log in with SAML SSO!

 

To enable SAML SSO:

1. Go to Settings > Security and select "Require SAML SSO" as the authentication method.

ahLgPOG9W8Hv575N8RRN9LWVhZPrDIc6_C_iI16ejhs1tD1Bo7HHn6AGcV6n6LUr_J0SGaCxTkvvWofUUpU4BZW5APCj1PB51Sb6vZlonITw6Tvi6fBqFfX18l9kMgS7P8U89f6W

The SAML name for your workspace is located in a grayed out box, like you see below 👇

ZWxm9u6kd8JmGt2dJAoq1j_QYwk0ihoni5WcvFOUUcDyKzV2AFgtQ2hqHb2EgbluCAHgWSgOyP7jcq04FLwz6un7mqznVG8CDh94MSDX5OWR0FYcmAAWI39kvM2C8nu34i2ha2qh

2. Include the SAML name listed in the grayed out box for your workspace to configure SAML SSO with your identity provider in the following places:
Single Sign-On URL

Recipient URL

Audience restriction/Entity ID

NameID

  • Email address

Signed Assertions

  • Yes

Mapped Attributes

  • firstName (User's first name)
  • lastName (User's last name)

Encryption

  • AES256_CBC with this certificate:
-----BEGIN CERTIFICATE-----MIIDKTCCAhGgAwIBAgIESfKRDDANBgkqhkiG9w0BAQsFADBFMREwDwYDVQQKEwhJbnRlcmNvbTEVMBMGA1UECxMMRGV2IFBsYXRmb3JtMRkwFwYDVQQDExBTQU1MIENlcnRpZmljYXRlMB4XDTE2MTIxNDE2MjYyN1oXDTI2MTIxMjE2MjYyN1owRTERMA8GA1UEChMISW50ZXJjb20xFTATBgNVBAsTDERldiBQbGF0Zm9ybTEZMBcGA1UEAxMQU0FNTCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMYDcgFR7BMrGPMNTVERsAXOZoaz+ObJaKAtSWbq6J7upmEvr7wm7KmIOGiTdqsA5vhJUBRC4pPxTpB6l34LYQ2CcfGYP0TQtrpBuHtkSVPe5Tu1q4ri4YpiWLzkO6TdFDvIKiD141gYjPkypTYGHQ0YRoHJVLibk55nJcjX1GjwXpDLYOa9r4LrGzOHV1o7p/C1GoPu8/5GzgtP0faO4iDgcz0681WQvN4sg4kL24geouBrIfl5Xa0WmFAmQDtaYZ22V2hPgmivcw4l0mnHuHRKiYdKuIBrkj9miEL1YMexMgUoAm7TbMIqPu1s3k9HcJ75Ksk1LUnxKRYdTlZRPd0CAwEAAaMhMB8wHQYDVR0OBBYEFNX3lHt+SDJSghNBEmdyvxwZ9A8JMA0GCSqGSIb3DQEBCwUAA4IBAQBE8HPVU1fM2KJ4+WSLTz1AO3R/HMfI9Vjf8g5TvRWixhRwFG6hWxnMfqn6+/O3KZTyOszhcMn1i+yIk6kfG//C8jVN0BdRf45VY0zFYn6veUe5l0Mwrc98SVTS2bIYNjkC1uPfRURNY+TlLqfzAcJYKIPlrpV8sDWGk22ouQeSpBDiC4bFt5rpxbDOHZ8yiEWFWXSplA/7lAK6WfGll9JYZIXIUG9IkrqqAU8Rdl4ap7R+5hnpHm7hXxGKbY9QL+sr4SbGOUVBuO9ilLNis1mRAfJ8YEu8Aw4rRMBMTTVzdkBk0keMMJNdjvWDNmwOwECFqpawtT0JQBFUdm+03Ow+-----END CERTIFICATE-----

Additionally you will need to add the following information in Intercom from your identity provider:

  • Identity provider Single Sign-On URL — This is the URL used to start the login process.
  • Public certificate — This allows Intercom to validate SAML requests from your identity provider. It must be an X.509 certificate.

3. Specify the domains which are allowed to authenticate with SAML SSO. Enter a domain under "Allowed Domains", then click the "Add domain" button to submit.

p5cLrYAsH1bXjT6xYDq6KokPOh7GuFUo_mZMt7FnMo62G6NktyA7eiX9J-gVY9s7JvXEe1e5s_UNFnQXcLY8bi1FUxLPa_VuBwG6aDFiYgAqEChoeG8Q8_YWUihmPGvQMg5atQaH

4. Verify that you own the domain by adding a TXT record in your DNS settings with the values shown below. After adding the TXT record in your DNS settings, click "Verify DNS record".

 

Note: If you do not have access to your DNS provider, you may need help from someone on your team.

Tip: If you have just created the DNS record it may still be propagating, in this case you’ll see the following warning message: “Unable to verify DNS record. Please try again later.”

d68wgq1BQrtiisgjxAGrYpW_FTzrk288Hqu95erSoBMJ0cRO1TIEXGtYL2uIoSnqx5MDwsKweg4UtRwwvTf8BZDJ27wynURkwzX6umrKQLixwC-MeBrt_UqWBPYerRMD3LAEby33

5. Once the DNS record is verified you'll receive a success message and the domain will appear like you see below 👇

ucKgNDGYtcciZM0fz2PLoojpPjc2Ch_vJ9z6J7ncobRkFjCBpOPSr17MdLr7M2xFaEPA44XLGyo1HI3EQB7BoK4VdKDqzj5fWG1O9J3e72rJfFmavTpi6J0xZzOXJjc-i8ss2gtQ

For a more detailed set of instructions take a look at the Article I've attached here!

View original
Did this topic help you find an answer to your question?

1 reply

Racheal
Intercom Team
Forum|alt.badge.img+5
  • Customer Support Engineer
  • 512 replies
  • Answer
  • August 15, 2023

Hey @Emil A 

 

You can definitely integrate with an identity provider and log in with SAML SSO!

 

To enable SAML SSO:

1. Go to Settings > Security and select "Require SAML SSO" as the authentication method.

ahLgPOG9W8Hv575N8RRN9LWVhZPrDIc6_C_iI16ejhs1tD1Bo7HHn6AGcV6n6LUr_J0SGaCxTkvvWofUUpU4BZW5APCj1PB51Sb6vZlonITw6Tvi6fBqFfX18l9kMgS7P8U89f6W

The SAML name for your workspace is located in a grayed out box, like you see below 👇

ZWxm9u6kd8JmGt2dJAoq1j_QYwk0ihoni5WcvFOUUcDyKzV2AFgtQ2hqHb2EgbluCAHgWSgOyP7jcq04FLwz6un7mqznVG8CDh94MSDX5OWR0FYcmAAWI39kvM2C8nu34i2ha2qh

2. Include the SAML name listed in the grayed out box for your workspace to configure SAML SSO with your identity provider in the following places:
Single Sign-On URL

Recipient URL

Audience restriction/Entity ID

NameID

  • Email address

Signed Assertions

  • Yes

Mapped Attributes

  • firstName (User's first name)
  • lastName (User's last name)

Encryption

  • AES256_CBC with this certificate:
-----BEGIN CERTIFICATE-----MIIDKTCCAhGgAwIBAgIESfKRDDANBgkqhkiG9w0BAQsFADBFMREwDwYDVQQKEwhJbnRlcmNvbTEVMBMGA1UECxMMRGV2IFBsYXRmb3JtMRkwFwYDVQQDExBTQU1MIENlcnRpZmljYXRlMB4XDTE2MTIxNDE2MjYyN1oXDTI2MTIxMjE2MjYyN1owRTERMA8GA1UEChMISW50ZXJjb20xFTATBgNVBAsTDERldiBQbGF0Zm9ybTEZMBcGA1UEAxMQU0FNTCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMYDcgFR7BMrGPMNTVERsAXOZoaz+ObJaKAtSWbq6J7upmEvr7wm7KmIOGiTdqsA5vhJUBRC4pPxTpB6l34LYQ2CcfGYP0TQtrpBuHtkSVPe5Tu1q4ri4YpiWLzkO6TdFDvIKiD141gYjPkypTYGHQ0YRoHJVLibk55nJcjX1GjwXpDLYOa9r4LrGzOHV1o7p/C1GoPu8/5GzgtP0faO4iDgcz0681WQvN4sg4kL24geouBrIfl5Xa0WmFAmQDtaYZ22V2hPgmivcw4l0mnHuHRKiYdKuIBrkj9miEL1YMexMgUoAm7TbMIqPu1s3k9HcJ75Ksk1LUnxKRYdTlZRPd0CAwEAAaMhMB8wHQYDVR0OBBYEFNX3lHt+SDJSghNBEmdyvxwZ9A8JMA0GCSqGSIb3DQEBCwUAA4IBAQBE8HPVU1fM2KJ4+WSLTz1AO3R/HMfI9Vjf8g5TvRWixhRwFG6hWxnMfqn6+/O3KZTyOszhcMn1i+yIk6kfG//C8jVN0BdRf45VY0zFYn6veUe5l0Mwrc98SVTS2bIYNjkC1uPfRURNY+TlLqfzAcJYKIPlrpV8sDWGk22ouQeSpBDiC4bFt5rpxbDOHZ8yiEWFWXSplA/7lAK6WfGll9JYZIXIUG9IkrqqAU8Rdl4ap7R+5hnpHm7hXxGKbY9QL+sr4SbGOUVBuO9ilLNis1mRAfJ8YEu8Aw4rRMBMTTVzdkBk0keMMJNdjvWDNmwOwECFqpawtT0JQBFUdm+03Ow+-----END CERTIFICATE-----

Additionally you will need to add the following information in Intercom from your identity provider:

  • Identity provider Single Sign-On URL — This is the URL used to start the login process.
  • Public certificate — This allows Intercom to validate SAML requests from your identity provider. It must be an X.509 certificate.

3. Specify the domains which are allowed to authenticate with SAML SSO. Enter a domain under "Allowed Domains", then click the "Add domain" button to submit.

p5cLrYAsH1bXjT6xYDq6KokPOh7GuFUo_mZMt7FnMo62G6NktyA7eiX9J-gVY9s7JvXEe1e5s_UNFnQXcLY8bi1FUxLPa_VuBwG6aDFiYgAqEChoeG8Q8_YWUihmPGvQMg5atQaH

4. Verify that you own the domain by adding a TXT record in your DNS settings with the values shown below. After adding the TXT record in your DNS settings, click "Verify DNS record".

 

Note: If you do not have access to your DNS provider, you may need help from someone on your team.

Tip: If you have just created the DNS record it may still be propagating, in this case you’ll see the following warning message: “Unable to verify DNS record. Please try again later.”

d68wgq1BQrtiisgjxAGrYpW_FTzrk288Hqu95erSoBMJ0cRO1TIEXGtYL2uIoSnqx5MDwsKweg4UtRwwvTf8BZDJ27wynURkwzX6umrKQLixwC-MeBrt_UqWBPYerRMD3LAEby33

5. Once the DNS record is verified you'll receive a success message and the domain will appear like you see below 👇

ucKgNDGYtcciZM0fz2PLoojpPjc2Ch_vJ9z6J7ncobRkFjCBpOPSr17MdLr7M2xFaEPA44XLGyo1HI3EQB7BoK4VdKDqzj5fWG1O9J3e72rJfFmavTpi6J0xZzOXJjc-i8ss2gtQ

For a more detailed set of instructions take a look at the Article I've attached here!


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings