Answered

Better SSO

  • 2 August 2023
  • 1 reply
  • 130 views

Curious if anyone’s had good luck with a better SSO implementation & intercom? 

icon

Best answer by Racheal 15 August 2023, 02:02

View original

1 reply

Userlevel 4
Badge +5

Hey @Emil A 

 

You can definitely integrate with an identity provider and log in with SAML SSO!

 

To enable SAML SSO:

1. Go to Settings > Security and select "Require SAML SSO" as the authentication method.

ahLgPOG9W8Hv575N8RRN9LWVhZPrDIc6_C_iI16ejhs1tD1Bo7HHn6AGcV6n6LUr_J0SGaCxTkvvWofUUpU4BZW5APCj1PB51Sb6vZlonITw6Tvi6fBqFfX18l9kMgS7P8U89f6W

The SAML name for your workspace is located in a grayed out box, like you see below 👇

ZWxm9u6kd8JmGt2dJAoq1j_QYwk0ihoni5WcvFOUUcDyKzV2AFgtQ2hqHb2EgbluCAHgWSgOyP7jcq04FLwz6un7mqznVG8CDh94MSDX5OWR0FYcmAAWI39kvM2C8nu34i2ha2qh

2. Include the SAML name listed in the grayed out box for your workspace to configure SAML SSO with your identity provider in the following places:
Single Sign-On URL

Recipient URL

Audience restriction/Entity ID

NameID

  • Email address

Signed Assertions

  • Yes

Mapped Attributes

  • firstName (User's first name)
  • lastName (User's last name)

Encryption

  • AES256_CBC with this certificate:
-----BEGIN CERTIFICATE-----MIIDKTCCAhGgAwIBAgIESfKRDDANBgkqhkiG9w0BAQsFADBFMREwDwYDVQQKEwhJbnRlcmNvbTEVMBMGA1UECxMMRGV2IFBsYXRmb3JtMRkwFwYDVQQDExBTQU1MIENlcnRpZmljYXRlMB4XDTE2MTIxNDE2MjYyN1oXDTI2MTIxMjE2MjYyN1owRTERMA8GA1UEChMISW50ZXJjb20xFTATBgNVBAsTDERldiBQbGF0Zm9ybTEZMBcGA1UEAxMQU0FNTCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMYDcgFR7BMrGPMNTVERsAXOZoaz+ObJaKAtSWbq6J7upmEvr7wm7KmIOGiTdqsA5vhJUBRC4pPxTpB6l34LYQ2CcfGYP0TQtrpBuHtkSVPe5Tu1q4ri4YpiWLzkO6TdFDvIKiD141gYjPkypTYGHQ0YRoHJVLibk55nJcjX1GjwXpDLYOa9r4LrGzOHV1o7p/C1GoPu8/5GzgtP0faO4iDgcz0681WQvN4sg4kL24geouBrIfl5Xa0WmFAmQDtaYZ22V2hPgmivcw4l0mnHuHRKiYdKuIBrkj9miEL1YMexMgUoAm7TbMIqPu1s3k9HcJ75Ksk1LUnxKRYdTlZRPd0CAwEAAaMhMB8wHQYDVR0OBBYEFNX3lHt+SDJSghNBEmdyvxwZ9A8JMA0GCSqGSIb3DQEBCwUAA4IBAQBE8HPVU1fM2KJ4+WSLTz1AO3R/HMfI9Vjf8g5TvRWixhRwFG6hWxnMfqn6+/O3KZTyOszhcMn1i+yIk6kfG//C8jVN0BdRf45VY0zFYn6veUe5l0Mwrc98SVTS2bIYNjkC1uPfRURNY+TlLqfzAcJYKIPlrpV8sDWGk22ouQeSpBDiC4bFt5rpxbDOHZ8yiEWFWXSplA/7lAK6WfGll9JYZIXIUG9IkrqqAU8Rdl4ap7R+5hnpHm7hXxGKbY9QL+sr4SbGOUVBuO9ilLNis1mRAfJ8YEu8Aw4rRMBMTTVzdkBk0keMMJNdjvWDNmwOwECFqpawtT0JQBFUdm+03Ow+-----END CERTIFICATE-----

Additionally you will need to add the following information in Intercom from your identity provider:

  • Identity provider Single Sign-On URL — This is the URL used to start the login process.
  • Public certificate — This allows Intercom to validate SAML requests from your identity provider. It must be an X.509 certificate.

3. Specify the domains which are allowed to authenticate with SAML SSO. Enter a domain under "Allowed Domains", then click the "Add domain" button to submit.

p5cLrYAsH1bXjT6xYDq6KokPOh7GuFUo_mZMt7FnMo62G6NktyA7eiX9J-gVY9s7JvXEe1e5s_UNFnQXcLY8bi1FUxLPa_VuBwG6aDFiYgAqEChoeG8Q8_YWUihmPGvQMg5atQaH

4. Verify that you own the domain by adding a TXT record in your DNS settings with the values shown below. After adding the TXT record in your DNS settings, click "Verify DNS record".

 

Note: If you do not have access to your DNS provider, you may need help from someone on your team.

Tip: If you have just created the DNS record it may still be propagating, in this case you’ll see the following warning message: “Unable to verify DNS record. Please try again later.”

d68wgq1BQrtiisgjxAGrYpW_FTzrk288Hqu95erSoBMJ0cRO1TIEXGtYL2uIoSnqx5MDwsKweg4UtRwwvTf8BZDJ27wynURkwzX6umrKQLixwC-MeBrt_UqWBPYerRMD3LAEby33

5. Once the DNS record is verified you'll receive a success message and the domain will appear like you see below 👇

ucKgNDGYtcciZM0fz2PLoojpPjc2Ch_vJ9z6J7ncobRkFjCBpOPSr17MdLr7M2xFaEPA44XLGyo1HI3EQB7BoK4VdKDqzj5fWG1O9J3e72rJfFmavTpi6J0xZzOXJjc-i8ss2gtQ

For a more detailed set of instructions take a look at the Article I've attached here!

Reply