Enable Single Sign On (SSO) Authentication
Helpjuice supports Single Sign On authentication process. This page aims to clarify a bit about SSO and teach you how to properly configure SSO in your account. To do so, you have to be an admin.
The SSO process enables you to use your own ID provider to authenticate the users that should have access to your Knowledge Base. This is useful specially when you have tons of users and you don't want to create a Helpjuice user for each one of them.
In order to enable SSO in your account, go to Settings and click on the Single Sign On tab:
If the fields in the Single Sign On tab are disabled, it means that your current plan does not support it. If that is the case, contact our team so we can migrate you.
You'll have to provide your Identity Provider data:
- For OneLogin:
- Identity Provider URL: required.
- Fingerprint: SHA1 fingerprint, required.
- SSO Domain: required if you want Helpjuice to auto-create new users based on the email's domain, like in firstname.lastname@example.org.
- SSO Account: required if not all your users have an email under the same domain, like in email@example.com. In this case, you need to fill this field with the exact same value you have in your OneLogin account under the field Company.
- For Okta:
- IDP Metadata (XML): this is the only field required to authenticate using Okta.
- For Custom Provider: You can use your own custom Identity Provider. In this case, you can either fill the fields Identity Provider URL + Fingerprint OR IDP Metadata. The fields SSO Domain and SSO Account are optional and have the same purpose in this case, just like for OneLogin.
Now, all you need to do is ask your users to go to our regular Sign In page (helpjuice.com -> Sign In) and choose the option that fits your case:
If you use a custom Identity Provider or Okta, you must click on Custom Single Sign On. In the next page, you must provide your account's subdomain. It will be yoursubdomain.helpjuice.com.
Helpjuice will redirect the user to your ID Provider URL and, once the user is authenticated, he/she will be signed in. If a user record for that e-mail does not exist, it will be created automatically.
Note: new users created via SSO are always given the Viewer role for security reasons.