How do I configure my Single Sign-on settings?

Self-service Single Sign-on (SSO) allows the Sprout Social Account Owner to assign other users permission to manage SSO and to update and maintain SSO settings without needing to go through Sprout Support.

With self-service SSO, a person with Manage SSO Permissions can:

  • Upload your identity provider's SSO metadata file
  • Edit SAML settings
  • Enable or disable Sprout-managed passwords
  • Enable or disable Just-in-Time provisioning 
  • Set a default Role or Group and Profile permissions for an authenticated SSO user’s account upon their first login

In this article:

Who can use self-service SSO?

Single Sign-on (SSO) is currently offered to customers with an assigned Customer Success Manager (CSM). If you have SSO enabled, you can start using the self-service feature right away. 

If you are a customer with an assigned CSM and would like SSO enabled, please reach out to your CSM.

If you are a customer that would like SSO enabled and do not have an assigned CSM, please reach out to Sprout Social Support for assistance.

What do I need to get started?

These are the requirements you'll need before getting started:

  • You must have SSO enabled for Sprout. For more information about using SSO with Sprout, read this Help Center guide.
  • The Manage Single Sign On permission must be turned on under Company Permissions. By default, Account Owners have this setting enabled and can grant this permission to other users.


  • You'll need your SSO metadata XML file from your identity provider (IdP).

Security Assertion Markup Language (SAML) settings

Security Assertion Markup Language (SAML) is used to exchange authentication and authorization data between parties, in particular, between an identity provider (such as Okta, Onelogin or Azure) and a service provider (in this case, Sprout Social).

To update your SAML settings:

  1. Navigate to Settings > Account > Single Sign-On.
  2. Click Edit SAML Settings if you want to make changes to any of your SAML settings.

To upload your XML file with your SSO metadata, click Upload XML File. Your systems administrator can provide you with this file.

Just-in-Time (JIT) provisioning

With SSO JIT provisioning enabled, a user account is automatically created when a user successfully logs in to Sprout via SSO for the first time, eliminating the need for manual invitations.

To set up JIT provisioning:

  1. Navigate to Settings > Account > Single Sign-On.
  2. Click Enable Just-In-Time Provisioning.

Once you’ve enabled JIT, you’ll be able to see your remaining user seats under the Single Sign-On settings page and the Team Members section.



Note: If you assign all your seats, the Account Owner will receive an email and JIT will be disabled.

User JIT SSO experience

A user can create an account by logging into the Sprout web app via SSO for the first time.

Note: JIT SSO is not available for the Sprout mobile app.


Once a new user logs in, the Account Owner will receive an email with a notification that a new user account has been created. You can manage a user’s permissions by clicking Manage User.


Set a default Role or Group and Profile

If you’re on the Advanced Plan, you can assign new users a default Role or a default Group and Profile. If you’re on the Standard or Professional Plans, you can assign new users a default Group and Profile. For more information on Groups, Profiles and Roles in Sprout, see our Administration Basics.

If you select Assign with Role, you can choose the default Role for new users from the dropdown menu.

If you select Assign with Group and Profile, you can choose the Group and Profile from the dropdown menu.

Note: If you select Assign with Group and Profile, users will be assigned Read Only access to the Profile. You can update this access later.


Back to Top up_arrow.png

Was this article helpful?

Still can't find what you're looking for?

Powered by Zendesk