Helpjuice supports Single Sign On authentication process. This page aims to clarify a bit about SSO and teach you how to properly configure SSO in your account. To do so, you have to be an admin.
The SSO process enables you to use your own ID provider to authenticate the users that should have access to your Knowledge Base. This is useful specially when you have tons of users and you don't want to create a Helpjuice user for each one of them.
In order to enable SSO in your account, go to Settings and click on the Single Sign On tab:
If the fields in the Single Sign On tab are disabled, it means that your current plan does not support it. If that is the case, contact our team so we can migrate you.
You'll have to provide your Identity Provider data:
- For OneLogin:
- Identity Provider URL: required.
- Fingerprint: SHA1 fingerprint, required.
- SSO Domain: required if you want Helpjuice to auto-create new users based on the email's domain, like in firstname.lastname@example.org.
- SSO Account: required if not all your users have an email under the same domain, like in email@example.com. In this case, you need to fill this field with the exact same value you have in your OneLogin account under the field Company.
- For Okta:
- IDP Metadata (XML): this is the only field required to authenticate using Okta.
- For Custom Provider: You can use your own custom Identity Provider. In this case, you can either fill the fields Identity Provider URL + Fingerprint OR IDP Metadata. The fields SSO Domain and SSO Account are optional and have the same purpose in this case, just like for OneLogin.
Now, all you need to do is ask your users to go to our regular Sign In page (helpjuice.com -> Sign In) and choose the option that fits your case:
If you use a custom Identity Provider or Okta, you must click on Custom Single Sign On. In the next page, you must provide your account's subdomain. It will be yoursubdomain.helpjuice.com.
Helpjuice will redirect the user to your ID Provider URL and, once the user is authenticated, he/she will be signed in. If a user record for that e-mail does not exist, it will be created automatically.
SSO Users vs Helpjuice Users
Users from your Identity Provider and users you add via Helpjuice Dashboard are independent. You can have people signing in via SSO and/or regular email/password at the same time without a problem. When you set up a SSO provider, existing users can also start using SSO to authenticate, as long as their emails match.
When an user authenticates via SSO, Helpjuice will try to match the signing in user to an existent one by email. If they exist, they are authenticated and signed in, password and other user details are left untouched. If no user matches, however, a new one is created with the Viewer role and an auto generated password is forwarded to their email. This user can then sign in either via SSO or regular email/password authentication without a problem. We need to provide a password to SSO users so they can update their profile details in Helpjuice dashboard.
This process applies to any Helpjuice SSO authentication, including LDAP and JWT.