Single sign-on with SAML 2.0
SSO with Leanplum
With single sign-on (SSO), you can log in to Leanplum quickly and securely using your company's credentials and third-party identification providers that support SAML 2.0 protocol (like Okta, Google Suite, etc.).
Available upon request
If you have not used Single Sign-On yet, the feature is most probably hidden in your account. Please ask your Customer Success Manager for access and the Leanplum team will enable it for you.
Overview
Authentication
With Single Sign-on, your entire authentication will be based on your own identity provider of choice. This means that as long as the identity provider supports it, you can achieve:
- Password strength requirements
- Password management flows (i.e. changing password every month)
- Two-Factor Authentication (2FA)
- Custom session expiration period
Authorization
Even with Single Sign-on, managing user roles and access levels will happen within Leanplum. You would still invite users explicitly to your Leanplum environment, and manage their roles in Leanplum.
Set up Login with SSO
You can configure your company login settings in Leanplum's Account & Team settings.
Microsoft Azure
If you decide to upload the metadata downloaded directly from your Microsoft Azure dashboard, make sure that the SSL certificate is correctly base64 encoded. If the certificate is not properly encoded it will be impossible to save the SSO configuration.
Admins only 🔓
Only users with Admin-level permissions in your main team in Leanplum can update your SSO settings.
- Name your SSO configuration — choose a name that means something to your team, such as "X Team Okta."
- Copy the service provider details Leanplum generates for you to your Identity Provider configuration. If you are asked to configure the username format in your Identity Provider, select Email.
- Download your Identity Provider metadata and upload it in Leanplum. As an alternative, copy and paste the required values one by one.
- Test your configuration to verify it works to complete the setup.
- Save Changes to apply the new configuration and allow users to start using it immediately.
Log in using your business login
To log in with your third-party credentials, select Business login on the Leanplum login page.
Once SSO is set up, you can also log in by selecting Leanplum through your provider's website (if the provider supports this).
Only users you've added to Leanplum will be able to log in.
Only users explicitly added to a Leanplum Team and assigned a role will be able to use your business login, even if you configure Leanplum access in your login provider for all users in your company.
Session expiration and logout
Once a user logs in, we keep the session open for 24 hours unless the Identity Provider has set another expiration time explicitly.
If the Identity Provider enforces shorter (or longer) session expiration, which happens automatically through the SAML protocol, the new value will be consumed by Leanplum and set as a part of the Single Sign-On configuration in the background.
Setting Authentication Mode
Leanplum supports three authentication modes:
- Leanplum Login only - this is the default mode. If you don't configure any Single Sign-On (SSO) - each user needs to have a Leanplum login email and password. After inviting a new user - he/she will be asked to set a password. To switch to this mode just remove your SSO configuration.
- SSO and Leanplum Login - SSO is optional, users can either login with their existing Leanplum credentials, or go to Business Login and login with your company credentials.
- SSO login only - Leanplum login is forbidden, so the authentication is managed only in your identity provider system. Users excluded from your identity provider automatically lose access to Leanplum.
In order to switch between those modes, go to your Team setup page, and click on Team Settings:
If you have configured Single Sign-On you will have two options to select:
SSO login only - Warning
Before switching to the SSO-only authentication mode, please make sure you and all users have valid login credentials through your identity provider. If you are working closely with a Leanplum Customer Success Manager - think about adding him/her to your identity provider, or adding there a generic Leanplum address like [email protected] for Customer Success and Technical Support.
Updated about 3 years ago