In this article, we will walk through the required steps to integrate your Identity Provider (IdP) SSO with Chili Piper.
Things to know
- You must be a Chili Piper admin to enable Single sign-on (SSO).
- You must use the same email address for both Chili Piper and your IdP.
Chili Piper supports any enterprise identity provider (IdP) using the SAML 2.0 protocol. We have tested and documented SAML SSO setup instructions for the following identity providers: Okta
Since steps may vary by identity provider, consult documentation from your identity provider for more information.
How to configure SAML SSO for your Identity Provider
- In the Admin Center, access SAML Configuration by clicking Integrations in the left-side menu and click the Single Sign-On tab. Then click Connect on the Single Sign-On card.
-
Copy and Paste the Single Sign-On and the SP Entity ID from Chili Piper into your Identity Provider. These URLS cannot be edited in anyway or they will not work.
Your Identity provider may refer to the Single Sign-On field as
- Default ACS
- Reply URL
- Application Callback URL
- SAML Consumer URL
Your Identity provider may refer to the Entity ID field as:
- Audience URL
- Identifier
Some Identity Providers require Recipient/Destination: - A field called “recipient” or "destination"
- A checkbox to enable sending the ACS as the recipient & destination
- No field or checkbox - the IdP will automatically send the ACS URL as the recipient and destination
-
Copy the metadata URL from your Identity Provider, and paste to Metadata URL field in Chili Piper in Step 2 section of the IdP setup:
If your identity provider has application restrictions for users, update those rules so you and the appropriate users can use Chili Piper.
In Chili Piper, click Test Connection and you will be directed to your IdP login screen. You must log into your IdP using the same credentials that you are logged into Chili Piper.
If the Connection is successful, you will be redirected back to Chili Piper to enforce SSO for all users. -
If you want to enforce your users only logging in via your IdP, you can opt to do this now. This option will only be available if testing the connection in Step 2 was successful.
SAML Features
- SP login flow (Service-provider Initiated)
- User can login via fire.chiliipiper.com, and your Identity provider will authenticate the user
- Identity Provider Initiated SSO (IdP-initiated)
- Users can log in to their identity provider and select the Chili Piper app.
- Only available if your identity provider supports a Default Relay State.
- JIT provisioning is not supported.
SAML Attributes include:
- firstName: user.firstName
- lastName: user.lastName
- email: user.email