Enable SSO in Your Account
Enabling single sign-on (SSO) for your domain within Help Scout allows your Users to easily and securely log in to their accounts. This article is all about SSO and how to set it up in your account. The SSO feature is available on the Company plan or as an add-on to the Standard or Plus plans.
In this article
What is SSO?
Single sign-on (or SSO) is a way to authenticate and log in to an application with just one set of credentials, rather than having to set up multiple usernames and passwords across different platforms. It allows for central access management and prevents potentially losing or forgetting Help Scout login credentials since it's stored through another service.
Add the Advanced Security Add-On
Account Owners can add the Advanced Security add-on to Standard and Plus plans. Just head over to Your Plan > Add-ons and click Free Trial next to the Advanced Security option.
Setting up SAML/SSO
Note: Service Provider (Help Scout) provisioning is not supported. Accounts should be created first in the IdP or Help Scout, and then authenticated via the IdP prior to logging in to Help Scout.
You'll need to grab either the Account Owner or an Administrator to get this setup for your account.
Manage > Company > Authentication, and toggle the
Enable SAML option to "ON"
You'll need to choose an Identity Provider (if you haven't already) and add Help Scout as a new application. We have instructions for two services that we recommend, as well as using a generic identity provider. You can check out the instructions for each here:
- Enabling SSO with OneLogin as the Identity Provider
- Enabling SSO with Okta as the Identity Provider
- Enabling SSO with Azure AD as the Identity Provider
- Enabling SSO with a Generic Identity Provider
All of the details you need to create a new application with your Identity Provider can be found at the bottom of the Login page:
- After setting up Help Scout as a new application, you will need to enter the Endpoint URL that you receive from the Identity Provider in the Single Sign-On URL field.
You will also need to grab the Identity Provider public key so that you can digitally sign authentication assertions. There should be a place to download the certificate from the Identity Provider. You can then upload it via the
Upload Certificate button.
The certificate should be in .cer, .cert or .pem format. If it isn't, you will need to convert it first before uploading.
Lastly, you can toggle the
Force SAML Sign-in on
if you'd prefer to have your Users and Administrators only log in to Help Scout through this method. If you'd still like to leave the option for them to sign in with their Help Scout credentials, you can leave it toggled off.