Enabling SSO with OneLogin as the Identity Provider
Enabling single sign-on (SSO) for your domain within Help Scout allows your Users to easily and securely log in to their accounts. This article will help you get set up if your IdP is Onelogin. For more general information on using SSO with Help Scout, check out Enabling SSO in Your Account.
In this article
What is SSO?
Single sign-on (or SSO) is a way to authenticate and log in to an application with just one set of credentials, rather than having to set up multiple usernames and passwords across different platforms. It's a more secure process and prevents potentially losing or forgetting log-in credentials since it's stored through another service.
SAML is an open standard for allowing single sign-on between 2 systems: A Service Provider (that's Help Scout) and an Identity Provider (that's the system storing your organization's user database e.g. Okta, OneLogin etc.).
Setting up SSO With OneLogin
This section explains step by step how to configure SAML Single Sign-On between Help Scout and OneLogin as the Identity Provider.
Note: Service Provider (Help Scout) provisioning is not supported. Accounts should be created first in the IdP or Help Scout, and then authenticated via the IdP prior to logging in to Help Scout.
You'll need to be the Account Owner or an Administrator to get this setup for your account.
- Login to Help Scout, then navigate to Manage → Company → Authentication.
- Before making any changes on this page, take note of the Post-back URL and the Audience URI at the bottom of the page.
- Log in to OneLogin as an administrator, go to Apps → Add Apps.
- Type "saml" into the search box of the Find Applications page. From the filtered list pick SAML Test Connector (IdP w/attr).
- Enter "Help Scout" as the Display Name of the new app, keeping Visible in portal toggled on. If you'd like to upload a Help Scout logo, click on the Rectangular icon and Square icon and select the images you want to use. You can take these from our logos file. Click the Save button.
Go to the
Configuration tab and paste the
Post-back URL from step 3 twice into the
ACS (Consumer) URL and
Recipient fields and the
Audience URI from step 3 into the
Audience field. Paste the regular expression listed below into the
ACS (Consumer) URL Validator.
- Click Save to store the app settings.
- Head over to the Parameters tab and select Add parameter. Type in email as the name in the popup and check Include in SAML assertion. Once saved, the new parameter will have no value, so you'll need to click on - No default - in the value column, and within the next popup, select Email as the value from the dropdown.
- The app is now created, but none of your users can access it. You can assign them to the app either individually via Users menu → All Users or, depending on how you manage your user base, as part of roles (Users → Roles) and groups (Users → Groups).
- Navigate back to the Help Scout app and select the SSO tab. Copy the SAML 2.0 Endpoint (HTTP) and click View details for the X.509 Certificate. This opens a new page where you can click the Download button to download the onelogin.pem file. You will need both the SAML 2.0 Endpoint (HTTP) and the X.509 Certificate in step 15.
- Log out from OneLogin (you will want to test with a non-admin user in a moment).
- Head back to Help Scout Manage → Company → Authentication. You will not be able to click "Enable SAML"
- On the form that you are presented with, use the details from step 10 - paste the URL and upload the certificate.
- Toggle Force SAML Sign-in if you would like your Users to only log in to Help Scout via SSO with OneLogin. Even if this is selected, an Account Owner will always be able to log in to Help Scout with their account password (this is to prevent the Account Owner from getting locked out). Don't forget to click the Save button.
Single Sign-On will now be enabled for your account. Users need to log in via the identify provider prior to logging in to Help Scout.