Employee Advocacy SSO
Employee Advocacy offers SAML 2.0 Single Sign-on (SSO) support across web and mobile. SSO enables your employees to use a single set of managed login credentials (e.g., name and password) to access multiple applications.
Note: If you have self-hosted ADFS on a Windows server, use this article to complete the setup process.
Issues logging in after the change from Bambu to Employee Advocacy?
If you have a custom SSO configuration and can't log in, the redirects Sprout enabled might not work. If you're experiencing issues, reach out to your IT team to update to the new URLs listed here. If you're still unable to log in, contact Sprout's Support team.
If you're using the Azure AD integration the Sign in with SSO button may not work. Navigate to your Azure app listing and click Bambu to sign in. If you're still unable to log in, contact Sprout's Support team.
This article contains the following sections:
Benefits of SSO
The main benefit of implementing SSO is account security. If an employee’s permissions, access or employment status changes, your network administrator can easily disable all accounts that are associated with that user with minimal effort. Additionally, SSO creates a more seamless user login experience because it eliminates the need for employees to remember or keep track of several passwords.
Collaborate with your IT/Security teams to set up SSO for Employee Advocacy. Here is some technical information your IT team may need to get the process started. URLs MUST be entered exactly as shown without any trailing slashes:
- Employee Advocacy supports IdP and SP initiated SSO via SAML 2.0.
- Employee Advocacy's AuthnRequests have an Issuer value/Entity ID of https://id.sproutsocial.com
- Employee Advocacy's Assertion Consumer Service URL is https://api.advocacy.sproutsocial.com/saml/consume
- Employee Advocacy requires that IdPs use emailAddress as their Response's Subject's NameIDPolicy.
- When Employee Advocacy initiates SSO, users are referred from URLs on https://advocacy.sproutsocial.com (e.g. https://advocacy.sproutsocial.com/login, https://advocacy.sproutsocial.com/stories, etc).
Employee Advocacy can use HTTP Redirect or HTTP POST bindings. However, the Employee Advocacy mobile app only supports HTTP POST using webviews, which may be blocked by an IdP.
Sprout recommends that you create an Admin account in Employee Advocacy for an IT team member to set up SSO.
Then your IT team member should:
- Log into Employee Advocacy.
- Navigate to Company Settings.
- Click the Single Sign On tab.
- Click Choose File in the SAML Upload box.
- Upload the appropriate XML file.
- Make updates to the URL and Issuer if need be.
- (Optional) You can toggle to allow Advocacy Managed Passwords on or off if you still want users to log in with their Employee Advocacy password.
- Click Save SSO Settings.
Supported SSO providers
Single Sign-on for Employee Advocacy is directly supported by the following IdPs:
- Azure AD
Employee Advocacy supports SAML (Security Assertion Markup Language) 2.0 for SSO, so even if your IdP isn’t listed, you should still be compatible as long as your IdP supports SAML 2.0.
If you happen to use Okta, Azure or OneLogin as your SSO provider, Employee Advocacy has apps for these IdPs that you may find helpful in your setup:
Does Employee Advocacy support SAML?
Yes. Employee Advocacy supports SAML 2.0, an XML-based industry standard for communicating identities over the Internet.
Does Employee Advocacy integrate with any identity providers (IDPs)?
Yes, Employee Advocacy integrates with any IdP which supports SAML2.0. Examples include Okta, OneLogin and Auth0.
Does Employee Advocacy support user provisioning?
Employee Advocacy supports just-in-time (JIT) provisioning for user accounts. If you're configured for SSO, a user account gets automatically generated for any user that successfully accesses Employee Advocacy where a user account was not already available. This user account is created with Reader permissions. Any role permissions upgrades must be managed by your Employee Advocacy Admin.
Can a user log in to Employee Advocacy on their mobile device?
What if someone loses their SSO password when Allow Employee Advocacy Managed Passwords is disabled?
You can recover passwords through the IdP. Employee Advocacy doesn't store any user passwords and relies exclusively on your IdP for authentication.
Can we use SSO and passwords at the same time?
Yes, you can configure your account as "SSO only" or "SSO + Password".
Does SSO support different domain email addresses? (Eg: email@example.com and firstname.lastname@example.org)
Yes, contact your Sprout CSM and let them know that you need to enable multiple domain emails.
Can my agency still log in to my account if we’ve enabled SSO?
Because the agency doesn't have access to your company's SSO, they can't log in if SSO is forced. You can turn on Allow Employee Advocacy Managed Passwords to ensure the agency can still log in with their email and password.
What happens if a user changes their name in Employee Advocacy?
Name changes in Employee Advocacy only appear in Employee Advocacy. The user still needs to log in per your settings, either SSO or password.
What happens if an Employee Advocacy user's name or email address is changed by the IdP?
No changes occur to the user in Employee Advocacy if their name is changed by the IdP. If the user’s email address is changed, a new user gets created assuming Just-in-time (JIT) provisioning is enabled. If JIT is not enabled, that user can't login.
What is Employee Advocacy's SSO login timeout?
What if I need to disable just-in-time (JIT) provisioning?
Contact your Sprout representative for assistance.
What if I need to adjust binding behavior?
Contact your Sprout representative for assistance.