Configuration Steps for SSO on Sprinklr platform

Updated 

2 years ago

Once you are done with the basic understanding and gathering necessary details for setting up SSO in your environment, you can proceed with the configuration of SSO on the platform.

  • After receiving all the necessary details necessary from the Identity Provider, you can proceed with the SSO setup on the staging or Sandbox environment

  • Once you have received the confirmation of perfect working of staging environment from test users, you can go ahead to the Production environment to configure SSO

Steps to Configure SSO on Sprinklr

  1. Click the New Tab icon. Under Platform Modules, click All Settings within Listen.

  2. In the Platform Settings window, click Manage Customer in the left pane and select Account Groups in the right pane

Details to be filled on the Sprinklr Settings → SSO Configuration page:

  • Name: Enter the desired name for the SSO

  • Select the Type of Single Sign On: SAML 2.0 or OpenID 

Configuration Steps For SAML 2.0:

  • Entity ID: Input entity ID from client into Sprinklr.

    • For Metadata file it corresponds to the “entityID=” field

    • For SSO Checklist it corresponds to the “Entity ID of Identity Provider” field

  • Issuer Name: Issuer Name is a URL that uniquely identifies your SAML identity provider.
    SAML assertions sent to Sprinklr must match this value exactly in the attribute of SAML assertions. Issuer Name is an autopopulated field. You can update it based upon your requirements.

  • Identity Provider Login URL: Input the IDP Login URL from the client into Sprinklr.
    It is the domain to which Sprinklr redirects after logging via SSO.

    • For Metadata file it corresponds to the “<md:SingleSignOnService”, “Location=” field

    • For SSO Checklist it corresponds to the “Identity Provider Login URL” field

  • Identity Provider Logout URL: Input the Identity Provider Logout URL (Optional field).
    It is the domain to which Sprinklr redirects after logout

  • SAML User ID Type: Choose the desired SAML User ID Type 

    • If the customer is authenticating on email, leave at the default Assertion contains User's sprinklr.com username selection

    • If they are authenticating on an ID value and not email, select Assertion contains the Federation ID from the User object instead


The assertion sent by the IDP either contains the user's sprinklr.com username or federation ID from the user object for authentication. While using federation ID for authentication clients add the fed ID in Sprinklr as well. Steps to add federation ID in user profile is in this link.

  • SAML User ID Location: Choose the desired SAML User ID Location

    • If the customer is sending the authentication value (email or ID) in the NameID, leave at the default User ID is in the Name Identifier element of the Subject statement selection. 

    • If the customer is sending authentication value in another attribute, select User ID is in an Attribute element & enter the name of the attribute in the given space

  • Request Binding: Select HTTP POST or HTTP Redirect

    • For SSO Checklist it corresponds to “AuthNRequest: POST or REDIRECT bindings?” field

For HTTP POST, IDP should have a certificate that we have given as we will look for it. When the response comes we will get that info in the response. (Not needed for HTTP REDIRECT)

  • User Not Provisioned Error Message: Enter the message as per your requirement (Optional)

  • Do you want to enable SSO for advocacy?: If yes, check the box and select the Name from the drop-down menu & enter the desired Attribute.

  • Use new SSO Certificate: Check box for Use New SSO Certificate. 

  • Request Signature Method: Select the Request Signature Method from the drop-down menu. 

    • Metadata:<ds:DigestMethod Algorithm=“http://www.w3.org/2001/04/xmlenc#sha256“/>

    • For SSO Checklist it corresponds to the “SHA1 or SHA256?” field

  • Identity Provider Certificate: Fill out the Identity Provider Certificate in PEM Format

    • For Metadata file it corresponds to the “<ds:X509Certificate>” field

    • For SSO Checklist: Public Key Certificate of the Identity Provider of the Client field

You can use this link to format the certificate in the required format.
Remember: Your certificate should start with -----BEGIN CERTIFICATE-----
                     Your certificate should end with -----END CERTIFICATE-----

In case the IDP certificate expires, the SSO setting needs to be updated with the new certificate by Success manager/Client:

Remember to keep a backup of the existing certificate in a notepad.


Steps to update SSO certificates from UI

  • Go to the location below in the UI to update the SSO Certificate.
    Settings >> Manage Customer >> Single Sign-Ons >> Principal SSO >> Edit

  • Check if the certificate is updated under "Identity Provider Certificate"

  • Get the new certificate from the user and replace the existing Certificate here

  • The certificate should start with "-----BEGIN CERTIFICATE-----" and
    end with "-----END CERTIFICATE-----"

  • The format of the Certificate needs to be in PEM. You can use this link to format the certificate in the required format.

Configuration Steps For OpenID:

  • If you select any social channel (For example: Google, Facebook, Twitter, Instagram, etc.) as the Provider, then you are not required to fill out any additional steps 

  • If you select OpenID Connect, then enter the Client Key, Client Secret, Authorize Endpoint URL, Token Endpoint URL, User Info URL and Scope.


Was this article helpful?

Related Articles

Loading...