How do I configure my Single Sign-on settings?

Self-service Single Sign-on (SSO) allows the Sprout Social Account Owner to assign other users permission to manage SSO and to update and maintain SSO settings without needing to go through Sprout Support.

With self-service SSO, a person with Manage SSO Permissions can:

  • Upload your identity provider's SSO metadata file
  • Edit SAML settings
  • Enable or disable Sprout-managed passwords
  • Enable or disable Just-in-Time provisioning 
  • Set a default Role or Group and Profile permissions for an authenticated SSO user’s account upon their first login

In this article:

Who can use self-service SSO?

Single Sign-on (SSO) is currently offered to customers with an assigned Customer Success Manager (CSM). If you have SSO enabled, you can start using the self-service feature right away. 

If you are a customer with an assigned CSM and would like SSO enabled, please reach out to your CSM.

If you are a customer that would like SSO enabled and do not have an assigned CSM, please reach out to Sprout Social Support for assistance.

What do I need to get started?

These are the requirements you'll need before getting started:

  • You must have SSO enabled for Sprout. For more information about using SSO with Sprout, read this Help Center guide.

  • The Manage Single Sign On permission must be turned on under Company Permissions. By default, Account Owners have this setting enabled and can grant this permission to other users.

    manage-sso.png

  • You'll need your SSO metadata XML file from your identity provider (IdP).

Security Assertion Markup Language (SAML) settings

Security Assertion Markup Language (SAML) is used to exchange authentication and authorization data between parties, in particular, between an identity provider (such as Okta, Onelogin or Azure) and a service provider (in this case, Sprout Social).

To update your SAML settings:

  1. Navigate to Settings > Account > Single Sign-On.
    sso.png
  2. Click Edit SAML Settings if you want to make changes to any of your SAML settings.
    configure-saml.png

To upload your XML file with your SSO metadata, click Upload XML File. Your systems administrator can provide you with this file.

Just-in-Time (JIT) provisioning

JIT SSO Provisioning allows user accounts to be automatically created and configured the first time they log in via Single Sign-On (SSO). This eliminates the need to manually invite users and ensures a seamless onboarding process.

To use JIT SSO Provisioning, your account must have SSO enabled.

To set up JIT provisioning:

  1. Navigate to Settings > Account > Single Sign-On.
  2. Click Enable Just-In-Time Provisioning.

Once you’ve enabled JIT, you’ll be able to see your remaining user seats under the Single Sign-On settings page and the Team Members section.

remaining-seats.png

team-members-remaining.png

Note: If you assign all your seats, the Account Owner will receive an email and JIT will be disabled.

How JIT SSO Provisioning Works

  1. Admins configure default roles and permission sets in the SSO settings
  2. A new user logs in via SSO for the first time
  3. The system automatically creates their account and applies the pre-configured roles and permissions

Example Workflow

An Admin sets up "Care Manager" and a custom profile permission set as defaults in the SSO admin panel. A new user logs in via SSO, enters their basic information, and is immediately provisioned with the specified configuration. The user’s roles and permissions are visible in the Roles & Team Members section of the Account settings.

User JIT SSO experience

For Existing Customers with Legacy Roles

  • Can choose between legacy roles or the new multi-role setup.
  • Able to assign organizational roles, profile permissions, or legacy roles, or if roles are not needed, assign the group and social profile.

For New Customers or Customers Without Legacy Roles

  • Experience streamlined multi-role provisioning.

Note: JIT SSO is not available for the Sprout mobile app.

user-sso.png

Once a new user logs in, the Account Owner will receive an email with a notification that a new user account has been created. You can manage a user’s permissions by clicking Manage User.

new-user-jit.png

Set a default Role or Group and Profile

If you’re on the Advanced Plan, you can assign new users a default Role or a default Group and Profile. If you’re on the Standard or Professional Plans, you can assign new users a default Group and Profile. For more information on Groups, Profiles and Roles in Sprout, see our Administration Basics.

If you select Assign with Role, you can choose the default Role for new users from the dropdown menu.
25e4c89e-479d-4dea-9df8-67449e50753f.png

If you select Assign with Group and Profile, you can choose the Group and Profile from the dropdown menu.
group-and-profile.png

Note: If you select Assign with Group and Profile, users will be assigned Read Only access to the Profile. You can update this access later.

 

Back to Top up_arrow.png

Comments 0 comments

Article is closed for comments.

Was this article helpful?

Still can't find what you're looking for?

Related articles

Powered by Zendesk