Getting Started
Configuring Your Account
Understand Billing
Publishing
Analytics & Reporting
Engagement
AI and Automation
Social Listening
Employee Advocacy
Sprout Integrations
Tagging
Customer Care
Salesforce Service Cloud
Influencer Marketing
Instagram
Facebook
X
Tiktok
Threads
WhatsApp
LinkedIn
YouTube
Pinterest
Getting Started
Configuring Your Account
Understand Billing
Publishing
Analytics & Reporting
Engagement
AI and Automation
Social Listening
Employee Advocacy
Sprout Integrations
Tagging
Customer Care
Salesforce Service Cloud
Influencer Marketing
Instagram
Facebook
X
Tiktok
Threads
WhatsApp
LinkedIn
YouTube
Pinterest

How do I configure my Single Sign-on settings?

Table of Contents

Self-service Single Sign-on (SSO) allows the Sprout Social Account Owner to assign other users permission to manage SSO and to update and maintain SSO settings without needing to go through Sprout Support.

With self-service SSO, a person with Manage SSO Permissions can:

  • Upload your identity provider's SSO metadata file
  • Edit SAML settings
  • Add/remove/verify additional domains
  • Enable or disable Sprout-managed passwords
  • Enable or disable Just-in-Time provisioning 
  • Set a default Role or Group and Profile permissions for an authenticated SSO user’s account upon their first login

Who can use self-service SSO?

Self-Service SSO is available to all customers. Users must have Manage SSO permissions to configure or update SSO.

What do I need to get started?

These are the requirements you'll need before getting started:

  • You must have SSO enabled for Sprout. For more information about using SSO with Sprout, read this Help Center guide.

  • The Manage Single Sign On permission must be turned on under Company Permissions. By default, Account Owners have this setting enabled and can grant this permission to other users.

    manage-sso.pngYou'll need your SSO metadata XML file from your identity provider (IdP).

Security Assertion Markup Language (SAML) settings

Security Assertion Markup Language (SAML) is used to exchange authentication and authorization data between parties, in particular, between an identity provider (such as Okta, Onelogin, or Azure) and a service provider (in this case, Sprout Social).

To update your SAML settings:

  1. Navigate to Settings > Account > Authentication Settings.
    sso.png
  2. Click Edit SAML Settings if you want to make changes to any of your SAML settings.
    configure-saml.png

To upload your XML file with your SSO metadata, click Upload XML File. Your systems administrator can provide you with this file.

How to update your SAML Signing Certificate 

On November 1, 2025 Sprout will require a valid, unexpired certificate to maintain SSO access. After that date, if your certificate expires, users will not be able to login via SSO until a valid one has been uploaded.

There are two ways to update your certificate: Upload a new XML file or edit the existing SAML Certificate.

Upload a new XML file:

  1. Go to Settings › Authentication Settings 
  2. Go to SAML Identity Provider Metadata Upload section

  1. Click Upload XML file and upload your new SAML certificate

Edit the existing signing certificate: 

  1. Go to Settings › Authentication Settings 
  2. Go to SAML Identity Provider Metadata Upload section
  3. Click Edit SAML Settings and provide the new SAML certificate details & click Save Settings

Add/remove/verify a new domain

Email domain verification is a process that confirms you own and control your domain (e.g., yourcompany.com) to secure communication and prevent unauthorized use.

To add a new domain:

  1. Click Add email domain.
  2. Enter the domain name you want to add. You can continue to add more domains by clicking + Add or click Add New Email Domain.

 

All newly added domains are in a Pending state until they have been verified. To verify domain ownership, copy the Unique Identifier and add it to your domain name’s DNS record.

Your domain provider should be able to provide instructions on how to this, but generally, you can follow these steps:

  1. Copy the Unique Identifier
  2. Access Your DNS Management Interface: 
    • Log in to your domain registrar or DNS hosting provider's control panel.
    • Navigate to the section where you manage DNS records for your domain.
  1. Create a New TXT Record:
    • Look for an option to add a new DNS record
    • Select TXT as the record type. 
    • Enter the hostname or label (usually just "@" for the root domain). 
    • Paste the unique identifier value into the text or data field of the TXT record. 
    • Set the TTL (Time to Live) value (the duration for which the record is cached), a common value is 3600 seconds (1 hour). 
  1. Save the Changes: 
    • Save the newly created TXT record.
    • Allow some time for the DNS changes to propagate across the network.
  1. Verify the Record: 
    • Use a DNS lookup tool to verify that the TXT record is correctly added and contains the correct value. This helps to ensure that the record is correctly configured and accessible.

Once you’ve completed those steps, you can verify the domain by clicking Verify.  

If verification fails, you’ll receive an error message and the status changes to Verify Failed. Troubleshoot in your DNS Management Interface and try again.


 If verification is successful the status will show as Verified and that domain will be part of your SSO configuration

To remove a domain, click the trashcan icon.

Just-in-Time (JIT) provisioning

JIT SSO Provisioning allows user accounts to be automatically created and configured the first time they log in via Single Sign-On (SSO). This eliminates the need to manually invite users and ensures a seamless onboarding process.

To use JIT SSO Provisioning, your account must have SSO enabled.

To set up JIT provisioning:

  1. Navigate to Settings > Account > Single Sign-On.
  2. Click Enable Just-In-Time Provisioning.

Once you’ve enabled JIT, you’ll be able to see your remaining user seats under the Single Sign-On settings page and the Team Members section.

remaining-seats.png

team-members-remaining.png

Note: If you assign all your seats, the Account Owner will receive an email and JIT will be disabled.

How JIT SSO Provisioning Works

  1. Admins configure default roles and permission sets in the SSO settings
  2. A new user logs in via SSO for the first time
  3. The system automatically creates their account and applies the pre-configured roles and permissions

Example Workflow

An Admin sets up "Care Manager" and a custom profile permission set as defaults in the SSO admin panel. A new user logs in via SSO, enters their basic information, and is immediately provisioned with the specified configuration. The user’s roles and permissions are visible in the Roles & Team Members section of the Account settings.

User JIT SSO experience

For Existing Customers with Legacy Roles

  • Can choose between legacy roles or the new multi-role setup.
  • Able to assign organizational roles, profile permissions, or legacy roles, or if roles are not needed, assign the group and social profile.

For New Customers or Customers Without Legacy Roles

  • Experience streamlined multi-role provisioning.

Note: JIT SSO is not available for the Sprout mobile app.

user-sso.png

Once a new user logs in, the Account Owner will receive an email with a notification that a new user account has been created. You can manage a user’s permissions by clicking Manage User.

new-user-jit.png

Set a default Role or Group and Profile

If you’re on the Advanced Plan, you can assign new users a default Role or a default Group and Profile. If you’re on the Standard or Professional Plans, you can assign new users a default Group and Profile. For more information on Groups, Profiles and Roles in Sprout, see our Administration Basics.

If you select Assign with Role, you can choose the default Role for new users from the dropdown menu.
25e4c89e-479d-4dea-9df8-67449e50753f.png

If you select Assign with Group and Profile, you can choose the Group and Profile from the dropdown menu.
group-and-profile.png

Note: If you select Assign with Group and Profile, users will be assigned Read Only access to the Profile. You can update this access later.

 

Back to Top up_arrow.png

Table of Contents