Set up Single Sign-On
Updated
Single Sign-On capability replaces standard email/password login to Sprinklr. It will enable login using the customer’s company credentials. This adds convenience for the customer as they have fewer logins that they need to create and remember. Additionally, it increases security as when any individual leaves the company they will lose Sprinklr access as well. Finally, this would result in any security measures built into the customer’s login such as two-factor authentication, being on an internal network, etc, and applied to Sprinklr login as well.
Common SSO Providers
Sprinklr supports any identity provider that is compliant with SAML 2.0 and OpenID.
Okta
ADFS
OneLogin
PingFederate
To Set Up Single Sign-On
Click the New Tab icon
. Under the Governance Console, click All Settings within Platform Setup.
In the Platform Settings window, click Manage Customer in the left pane and select Single Sign-Ons in the right pane.
In the Single Sign Ons window, click Add Single Sign On in the top right corner.
In the Create Single Sign On window, fill in the required details. For more information, see Single Sign On — Field Descriptions.
Click Save in the bottom right corner.
Single Sign On — Field Descriptions
Terms | Description |
Name | Enter the desired name for the SSO. |
Select the Type of Single Sign On | |
SAML | |
Entity Id | Copy and paste the entity ID into Sprinklr. Note that if you have a metadata file, this corresponds to the entityID= field. If you have a requirements checklist, this corresponds to the Entity Id of Identity Provider field. |
Issuer Name | Issuer Name is a URL that uniquely identifies your SAML identity provider. SAML assertions sent to Sprinklr must match this value exactly in the attribute of SAML assertions. Additionally, Issuer Name is an auto-populated field. You can update it based upon your requirements. |
Identity Provider Login URL | Copy and paste the Identity Provider Login URL into Sprinklr. Note that if you have a metadata file, this will be in the <md:SingleSignOnService, Location= field. You may see different locations for a post, redirect, other types of bindings. They always seem to be the same, so it should not matter which you paste in but 90%+ of clients use POST bindings so when in doubt use that. If you have a requirements checklist, this will be in the AuthNRequest: POST or REDIRECT bindings? field. |
Identity Provider Logout URL | Copy and paste the Identity Provider Logout URL into Sprinklr. |
SAML User ID Type | Choose the desired SAML User ID Type. The following options are available:
|
SAML User ID Location | Choose the desired SAML User ID Location. The following options are available:
You can determine whether the customer is sending the authentication value in the NameID or another attribute by asking them directly. |
Request Binding | Select the desired request binding. The following options are available:
|
User Not Provisioned Error Message | Enter an error message (using the Rich Text Editor)that you wish to be displayed when any user is not provisioned to login. |
Check the box and select the Name from the drop-down menu & enter the desired Attribute. | |
Use new SSO Certificate | Check box for Use New SSO Certificate. This box needs to be checked for every SSO enablement. |
Request Signature Method | Select the Request Signature Method from the drop-down menu. You can check the metadata file to confirm the Request Signature Method. In the metadata file, it should look something like this <ds:DigestMethod Algorithm=“ http://www.w3.org/2001/04/xmlenc#sha256“/ >. |
Identity Provider Certificate | Fill out the Identity Provider Certificate. In the metadata file, this corresponds to the <ds:X509Certificate> field. |
Open ID | |
Provider | Select the Provider from the drop-down list. |
Note
|