Set Up Single Sign-On
Updated
Single Sign-On (SSO) capability replaces standard email/password login to Sprinklr. It will enable login using the customer’s company credentials. This adds convenience for the customer as they have fewer logins that they need to create and remember.
Additionally, SSO also provides improved security. For example, when any individual leaves the company they will lose Sprinklr access as well. Finally, any security measures built into the customer’s login such as two-factor authentication, being on an internal network, will also be applied to Sprinklr login.
Common SSO Providers
Sprinklr supports any identity provider that is compliant with SAML 2.0 and OpenID.
Okta
ADFS
OneLogin
PingFederate
Generic OIDC Providers
Set Up Single Sign-On
To set up Single Sign-On, follow these steps:
1. Click the New Tab icon . Under Platform Modules > Settings, click All Settings.
2. In the Platform Settings window, click Manage Customer in the left pane. Then, select Single Sign-Ons in the right pane.
3. In the Single Sign Ons window, click Add Single Sign On in the top right corner.
4. In the Create Single Sign On window, fill in the required details. For more information, see SSO Field Descriptions.
5. Click Save in the bottom right corner.
SSO Field Descriptions
Field | Description |
Name | Enter the desired name for the SSO. |
Select the Type of Single Sign On |
SAML Field Descriptions
Field | Description |
Entity Id | Copy and paste the entity ID into Sprinklr.
Note that if you have a metadata file, this corresponds to the entityID= field. If you have a requirements checklist, this corresponds to the Entity Id of Identity Provider field |
Issuer Name | Issuer Name is a URL that uniquely identifies your SAML identity provider. SAML assertions sent to Sprinklr must match this value exactly in the attribute of SAML assertions. Additionally, Issuer Name is an auto-populated field. You can update it based upon your requirements. |
Identity Provider Login URL | Copy and paste the Identity Provider Login URL into Sprinklr. Note that if you have a metadata file, this will be in the <md:SingleSignOnService, Location= field.
You may see different locations for a post, redirect, other types of bindings. They always seem to be the same, so it should not matter which you paste in but 90%+ of clients use POST bindings so when in doubt use that. If you have a requirements checklist, this will be in the AuthNRequest: POST or REDIRECT bindings? field. |
Identity Provider Logout URL | Copy and paste the Identity Provider Logout URL into Sprinklr. |
SAML User ID Type | Choose the desired SAML User ID Type. The following options are available:
|
SAML User ID Location | Choose the desired SAML User ID Location. The following options are available:
You can determine whether the customer is sending the authentication value in the NameID or another attribute by asking them directly. |
Request Binding | Select the desired request binding. The following options are available: HTTP POST HTTP Redirect |
User Not Provisioned Error Message | Enter an error message (using the Rich Text Editor) that you wish to be displayed when any user is not provisioned to login. |
Do you want to enable SSO for advocacy? | Check the box and select the Name from the drop-down menu & enter the desired Attribute. To learn how to enable SSO in Advocacy, refer to Single Sign-On (Advocacy). |
Use new SSO Certificate | Check box for Use New SSO Certificate. This box needs to be checked for every SSO enablement. |
Request Signature Method | Select the Request Signature Method from the drop-down menu. You can check the metadata file to confirm the Request Signature Method. In the metadata file, it should look something like this <ds:DigestMethod Algorithm=“ http://www.w3.org/2001/04/xmlenc#sha256“/ >. |
Identity Provider Certificate | Fill out the Identity Provider Certificate. In the metadata file, this corresponds to the <ds:X509Certificate> field. |
Open ID Field Descriptions
Field | Description |
Provider | Select the Open ID provider from the drop-down list.
|
Generic OpenID SSO Field Descriptions
Field | Required/Optional | Description |
Client Key | Required | OAuth 2.0 client ID. |
Client Secret | Required | OAuth 2.0 client secret. |
Authorize Endpoint URL | Required | The OAuth authorization endpoint URL. |
Token Endpoint URL | Required | The OAuth token exchange endpoint. |
User Info URL | Optional | Optional endpoint to fetch user profile info. |
Scope | Optional | Scopes like openid, profile, etc. |
PKCE Enabled | Optional | Toggle PKCE flow support. |
Request Via Proxy | Optional | If enabled, requests are routed via Sprinklr proxy. |
Proxy Host | Optional | Proxy hostname (required if proxy enabled). |
Proxy Port | Optional | Proxy port (required if proxy enabled). |
Access Token Field | Optional | Token field name in response (default: access_token). |
Token Headers Adapter | Optional | Add Groovy script to modify token request headers. For more details, see Advanced Configuration . |
Token Params Adapter | Optional | Add Groovy script to modify token request parameters. For more details, see Advanced Configuration. |
Profile Adapter | Required | Add Groovy script to parse user profile from user info response. For more details, see Advanced Configuration. |
Generic OpenID Advanced Configuration (Optional)
Sprinklr supports advanced scripting for token handling and profile creation:
1. Token Request Adapters
Customize token request headers and parameters using Groovy scripts.
tokenHeadersAdapter: Modify headers (e.g., Authorization, Content-Type).
tokenParamsAdapter: Add custom parameters like aud, scope, etc.
2. Profile Adapter
Process the user info API response using Groovy and map it to a Sprinklr user profile.
Note: You can also make calls to userInfoEndpoint within the Groovy script using passed-in input parameters.
Sample Code
String jwt = TOKEN_DETAILS.get("token")
String sub = JWT.parseSubject(jwt)
def res = MAP_UTILS.newMap();
res.put("SN_ID", sub);
res.put("TYPE", "KEYCLOAK");
return res