Enable SSO with Okta as the Identity Provider
Enabling single sign-on (SSO) for your domain within Help Scout allows your Users to easily and securely log in to their accounts. This article will help you get set up if your IdP is Okta. For more general information on adding and using SSO with Help Scout, check out Enable SSO in Your Account.
In this article
What is SSO?
Single sign-on (or SSO) is a way to authenticate and log in to an application with just one set of credentials, rather than having to set up multiple usernames and passwords across different platforms. It's a more secure process and prevents potentially losing or forgetting log in credentials since it's stored through another service.
SAML is an open standard for allowing single sign-on between 2 systems: A Service Provider (that's Help Scout) and an Identity Provider (that's the system storing your organization's user database e.g. Okta, OneLogin etc.).
Set up SSO with Okta
This section explains step by step how to configure SAML Single Sign-On between Help Scout and Okta as the Identity Provider.
Note: Service Provider (Help Scout) provisioning is not supported. Accounts should be created first in the IdP or Help Scout, and then authenticated via the IdP prior to logging in to Help Scout.
You'll need to be the Account Owner or an Administrator to get this setup for your account.
- Once you've logged in to Help Scout, head to Manage > Company > Authentication.
Do not toggle Enable SAML just yet! Take note of the Post-back URL and the Audience URI at the bottom of the page in your Help Scout account. You will need to copy and paste this information into Okta. You'll come back to this page to Enable SAML before the end.
- Log in to Okta as an administrator and click the Admin button to access the administration. Head to Applications (menu) > Applications (item).
- Click the Add Application button.
- Click the green Create New App button on the top right.
- Choose Web as the Platform and SAML 2.0 as the sign on method, then click Create.
- Enter Help Scout as the name of the new app. Optional: Grab our logos and choose the one you'd like to see in Okta for Help Scout. Choose Browse and Upload Logo to upload your choice. Click Next.
Post-back URL from step 2 in to
Single sign on URL and the
Audience URI from step 2 in to
Audience URI (SP Entity ID) respectively. Do not click Next yet!
Scroll down to the ATTRIBUTE STATEMENTS (OPTIONAL) section on this same page. Add 3 attributes here as shown below, then click Next.
Name Name Format Value given_name Unspecified user.lastName family_name Unspecified user.lastName Unspecified user.email
- For the question Are you a customer or a partner? choose I'm an Okta customer adding an internal app. Scroll to the bottom (skipping the other optional questions) and click Finish.
- Now you need to assign your users to the newly created Help Scout app. Click the Assignments tab where you can choose to add People or Groups.
Sign On tab.
- Click the View Setup Instructions button. A new page will open where you'll find the Identity Provider Single Sign-On URL. Copy that and hold on to it, and then click Download Certificate to save the X.509 Certificate. You will need these to complete step 15.
- Head back to Help Scout, then head to Manage > Company > Authentication . You can now click Enable SAML.
- Paste the URL and upload the certificate that you saved from step 13.
- Toggle Force SAML Sign-in if you want Users to only log in to Help Scout via SSO with Okta. An Account Owner will always be able to log in to Help Scout with their account password to prevent the Account Owner from getting locked out. Click the Save button.
You've now enable single sign-on using Okta! Users who try to log in with an email address for any of the domain(s) set in step 16 will authenticate with Okta. Okta will redirect to Help Scout upon successful authentication.