Enable SSO in Your Account
Enabling single sign-on (SSO) for your domain within Help Scout allows Users you manage using an identity provider to easily and securely log in to their accounts. This article is all about SSO and how to set it up in your account.
This feature is available to Pro plans only.
Note: If you use Google Workspace (formerly G Suite) to manage your users, you'll want to head over to Google Workspace Integration for Google Single Sign-on (SSO) for the steps to set that up.
In this article
What is SSO?
Single sign-on (or SSO) is a way to manage your organization's users, allowing them to authenticate and log in to many different applications with just one set of credentials, rather than having to set up multiple usernames and passwords across different platforms. It allows you to manage your users in a single location at your identity provider and prevents potentially losing or forgetting Help Scout login credentials, as those are stored through another service.
Setting up SAML/SSO
To complete the setup in Help Scout, you must already have service with an identity provider (IdP) of your choice.
Note: Service Provider (Help Scout) provisioning is not supported. Accounts should be created first in the IdP or Help Scout, and then authenticated via the IdP prior to logging in to Help Scout.
You'll need to be either the Help Scout Account Owner or an Administrator to follow these steps. See User Roles and Permissions for more information there.
Manage > Company > Authentication. Before making any changes on this page, take note of the Post-back URL and the Audience URI at the bottom of the page.
You'll need to add a Help Scout application to your IdP. We have instructions for several of the more popular below, as well as using a generic identity provider. You can check out the instructions for each here:
- Enabling SSO with OneLogin as the Identity Provider
- Enabling SSO with Okta as the Identity Provider
- Enabling SSO with Azure AD as the Identity Provider
- Enabling SSO with a Generic Identity Provider
- After setting up Help Scout as a new application, you will need to enter the endpoint URL that you receive from the IdP in the Single Sign-On URL field in Help Scout.
You will also need to grab the IdP public key so that you can digitally sign authentication assertions, the X.509 certificate. Upload it to Help Scout using the
Upload Certificate button.
The certificate should be in .cer, .cert or .pem format. If it isn't, you will need to convert it first before uploading.
Force SAML Sign-in on if you prefer to have your Users and Administrators only log in to Help Scout through this method. The Account Owner will always be able to log in using a password as well.