Integrate with SSO

If your organization uses single sign-on (SSO) such as Okta or OneLogin, you can add Sqreen to the SSO applications available for your employees to access.

Supported

  • any generic SAML SSO providers including G Suite, Okta, OneLogin
  • Azure AD, if it is configured to use SAML

Not Supported

  • using a metadata file to configure SAML
  • Azure AD with OpenID


  1. From the Sqreen Dashboard, navigate to Account > Integrations and scroll to the Single Sign-On section. If you do not see a Single Sign-On section, then this feature has not been enabled for your plan. Contact Sqreen Support to enable it.
  2. Log in to your SSO provider, then use the values and logo image files Sqreen provides in the Single Sign-On section to configure a SAML integration with your SSO provider. You can integrate Sqreen with any generic SAML SSO provider, though specific details for integrating with G Suite, OneLogin, and Okta follow.

    1. Follow the steps in the G Suite Admin Help to "Set up your own custom SAML application".
    2. Add a new mapping named "email", then to map it to the user's "Primary Email".

    1. Follow the steps in the OneLogin documentation to "Setup SSO with OneLogin (SAML)".
    2. In the "Parameters" section, set the following parameters:
      • Field name: email
      • Tick "Include in SAML assertion"
      • Value: email
    3. To verify that configuration is correct, check that the OneLogin and Sqreen certificate thumbprint values match.
      • OneLogin: In the "SSO" tab, click "View Details", check the value in "Fingerprint" field.
      • Sqreen: In the Integrations Single Sign-On section, check the value in the "Thumbprint" field.

    1. Follow the steps in the Okta documentation to "Create a SAML integration using AIW".
    2. Be sure to add the following attribute to the "Attribute Statements (Optional)" section:
      • Name: email
      • Format: Unspecified
      • Value: ${user.email}
    3. In the "Configure Feedback" section, select "I'm an Okta customer adding an internal app".


3. In the Single Sign-On section in Sqreen, input the value for "SSO URL" or "SAML 2.0 Endpoint (HTTP)" that your SSO provider gave you when you set up the integration.
4. Upload the certificate that your SSO provider gave you when you set up the ingetration, then save to complete the integration.

Troubleshoot

  • If you do not see a Single Sign-On section in the Integrations in your Account, then this feature has not been enabled for your plan. Contact Sqreen Support to enable it.
  • If you do not see a Single Sign-On section in the Integrations in your Account, then this feature has not been enabled for your plan. Contact Sqreen Support to enable it.

  • If a Sqreen user already exists and is assigned to a different organization, SSO login for a user with the same email address will fail. Where an SSO user has the same email as a Sqreen user in the same organization, these users are linked together and able to log in either using SSO or their password.

  • When your Sqreen plan provides access to Role-based Access Control (RBAC), a new user defaults to the "team member" role.

  • When logging in for the first time, OneLogin creates a new user account and automatically links it with your Sqreen organization. Users provisioned this way cannot enable password-based login to Sqreen. However, users that existed before logging in via SSO (in the same team), retain their ability to log in with passwords, as well as reset their passwords.

  • OneLogin does not automatically delete Sqreen team members when their corresponding users are deactivated in OneLogin. If you remove users from OneLogin, you must manually delete them from your Sqreen organization's team page.

  • If you do not see a Single Sign-On section in the Integrations in your Account, then this feature has not been enabled for your plan. Contact Sqreen Support to enable it.

  • If a Sqreen user already exists and is assigned to a different organization, SSO login for a user with the same email address will fail. Where an SSO user has the same email as a Sqreen user in the same organization, these users are linked together and able to log in either using SSO or their password.

  • When your Sqreen plan provides access to Role-based Access Control (RBAC), a new user defaults to the "team member" role.

  • When logging in for the first time, Okta creates a new user account and automatically links it with your Sqreen organization. Users provisioned this way cannot enable password-based login to Sqreen. However, users that existed before logging in via SSO (in the same team), retain their ability to log in with passwords, as well as reset their passwords.

  • Okta does not automatically delete Sqreen team members when their corresponding users are deactivated in Okta. If you remove users from Okta, you must manually delete them from your Sqreen organization's team page.