Enable SSO with Azure AD as the Identity Provider

Enabling single sign-on (SSO) for your domain within Help Scout allows your Users to easily and securely log in to their accounts. This article will help you get set up if your IdP is Azure AD. For more general information on adding and using SSO with Help Scout, check out Enabling SSO in Your Account.

This feature is available to Pro plans only.

What is SSO?

Single sign-on (or SSO) is a way to authenticate and log in to an application with just one set of credentials, rather than having to set up multiple usernames and passwords across different platforms. It's a more secure process and prevents potentially losing or forgetting login credentials since it's stored through another service.

SAML is an open standard for allowing single sign-on between 2 systems: A Service Provider (that's Help Scout) and an Identity Provider (that's the system storing your organization's user database e.g. Okta, OneLogin, Azure AD etc.).

Set up SSO With Azure AD

Note: Service Provider (Help Scout) provisioning is not supported. Accounts should be created first in the IdP or Help Scout, and then authenticated via the IdP prior to logging in to Help Scout. IdP provisioning is supported, and the IdP settings should ensure the Help Scout application is only available to the users who require a Help Scout account.

You'll need to be the Account Owner or an Administrator to get this setup for your account.


Log in to Help Scout and navigate to Manage > Company > Authentication.


Before making any changes on this page, take note of the Post-back URL and the Audience URI at the bottom of the page.


Log in to Azure as an administrator, then click Azure Active Directory from the menu on the left-hand side.


Click Enterprise applications under Manage on the left.


Click + New Application from the main section of the screen.


Select All from the list of categories on the left-hand side to open the Add an application screen. Enter Help Scout in to the search field in the Add from the gallery section.


Select Help Scout from the list of found apps. Click Add to launch the app creation wizard.


Select Configure single sign-on from the Quick start screen.


Select SAML-based Sign-on from the Single Sign-On Mode dropdown menu, then paste the Audience URI from Step 3 in to the Identifier field and the Post-back URL in to the Reply URL field. Lastly, select user.mail from the User Identifier menu.


In the User Attributes section, you can optionally add a first name and last name attribute. Select Add a new claim to open the Manage user claims dialog. In the Name section of the menu, type firstName. Leave Namespace blank, select Attribute, and pick the correct Source attribute. For the surname, repeat the same process, and set the attribute Name as lastName.


Ensure that you have an active certificate by clicking Create new certificate and/or ticking Make new certificate active if necessary. Enter a notification email for the certificate expiry reminders and click Save at the top on the screen.


Click Configure Help Scout at the bottom of the screen and then Download Azure AD Signing Certificate (Base64 encoded). The file — Help Scout.cer — will be needed later in Step 16, so remember where you save it.

Note: If at this point the Download Azure AD Signing Certificate (Base64 encoded) link is not available (e.g. showing a message that the certificate has not yet been generated), or it is available but clicking on it does not trigger the file to download, you will have to close the app configuration and reopen it. You can return to this section via Azure Active Directory > Enterprise applications > All applications > Help Scout > Single sign-on. If that doesn't help reload the Azure portal in your browser, refresh your browser by hitting Ctrl/Cmd + R and try downloading the certificate again.


From the Configure sign-on section copy the Azure AD Single Sign-On Service URL. This will also be needed in Step 16.


Next up — grant your teammates access! Just exit the Configure sign-on section from the last step and head over to Users and groups to grant your users access to the Help Scout app.


With that, your app configuration within Azure is now complete! Back in Help Scout, head over to Manage > Company > Authentication, and toggle Enable SAML on.


Upload the certificate from Step 12 via the Upload Certificate button and enter the Service URL that you copied in Step 13 in the Single Sign-On URL field.


Toggle Force SAML Sign-in if you want Users to only log in to Help Scout through this method. If you'd still like to leave the option for them to sign in with their Help Scout credentials, leave it off. The Account Owner will always be able to log in to Help Scout with their account password.


Click Save and you'll be ready to go!

Users must first log in via the identity provider prior to logging in to Help Scout. 

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.