Single sign-on (SSO) offers a secure way to access Chili Piper. This eliminates weak password use and reduces the need to remember passwords. If you or your company uses SSO, you may wonder how to get it to work with Chili Piper.
In this article, we will walk through:
- What can the SSO Integration do or not do?
- What do I need to do before I set up an SSO?
- How do I set up Okta for Chili Piper?
- How do I set up OneLogin for Chili Piper?
- How do I set up Rippling for Chili Piper?
- How do I set up Azure for Chili Piper?
- What should I do if I hit a "500" error or "You are lucky" error after login?
What can the SSO integration do or not do?
- The SSO Integration can provide another mechanism for users to log into Chili Piper.
- The existing login options are through Oauth of their CRM or calendar provider.
-
This simpler login option gives CP users an SSO option in case they only have their SSO username & password memorized. See the option below.
-
The SSO integration cannot provision licenses to users in Chili Piper.
- Your SSO provider can provision licenses to your CRM, and Chili Piper will automatically sync the CRM user into our Chili Piper User Table.
- Then, the admin will provision the product-specific licenses to the users once the user has been added to the CRM.
- Your company's Chili Piper admin must allocate product-specific licenses to individual users.
- The SSO integration cannot authenticate user connections to their CRM or Calendars.
- Users will still be required to authorize connections to their CRM and calendar licenses through direct Oauth connections. This is required for their first time connecting their licenses to Chili Piper.
Best practice: Most SSO admins will set up a workflow redirecting new users from the CRM and calendar login pages back to their SSO login pages. This allows the user to only log in with their SSO login.
What do I need to do before I set up an SSO?
Before integrating SSO with Chili Piper, you must contact your Customer Success or Onboarding rep to enable this integration. You will be unable to proceed further until it has been allowed.
How do I set up Okta for Chili Piper?
Log into Chili Piper's Admin Center, navigate to Integrations, scroll down to Identity Provider, and select Add.
In a new browser tab, open your Okta admin page, navigate to Applications, and select Create a new app integration. Select SAML 2.0 and hit Next.
Write Chili Piper under App name, and add our logo. (You can download the image logo below to use as your image)
Hit next.
Return to Chili Piper and copy your unique Sign In URL.
Back in Okta:
- Paste the Sign In URL link into the Single sign-on URL section.
- In Audience URI (SP Entity ID) section, enter: chilipiper.com
- Name ID format and Application Username should be set to Email.
Your Okta SAML Settings should look something like this:
Next, we'll complete the setup back in Chili Piper. First, click View SAML Setup Instructions in Okta.
Now that we've got our Chili Piper information into Okta, it's time to copy information from Okta and bring it to Chili Piper.
- Copy your unique Identity Provider Single Sign On from Okta, return to Chili Piper, and paste it into the Identity Provider SSO URL.
- Copy your Identity Provider Issuer from Okta, return to Chili Piper, and paste it into Identity Provider ID.
- Download the certificate provided by Okta and upload it to Chili Piper.
In Okta, in the Assignments tab, assign users to the Okta app. Back in Chili Piper, hit Save and Activate.
Uncheck "Deflate" in Chili Piper.
Next, we will move on to SCIM provisioning. Setting up these SCIM settings will allow an Okta admin to control who can or cannot log in to Chili Piper with this method. These SCIM Settings do not directly create or remove users from Chili Piper. Although you manage this under "provisioning," we currently do not support SCIM provisioning.
In Okta, navigate to the Chili Piper app you just created.
- Under the General tab, enable SCIM provisioning.
- Head to the Provisioning tab. Copy the SCIM connector base URL from Chili Piper and paste it into the Okta app SCIM connector base URL section.
-
In the Unique identifier field for users, type email.
-
Under Supported provisioning actions, select
-
Push New Users
-
Push Profile Updates
-
Push Groups
-
-
Authentication Mode should be set to HTTP Header.
- Grab the Authorization Bearer from Chili Piper under Authorization Token.
It should look something like this:
Now, we will select Test Connector Configuration:
If all goes well here, you will see a successful pop-up:
In Provisioning to App, enable:
- Create Users
- Update User Attributes
- Deactivate Users
Click Save, and that's it!
If you have any issues setting up Okta for Chili Piper, please contact your CSM.
How do I set up OneLogin for Chili Piper?
Log into Chili Piper's Admin Center, navigate to Integrations, scroll down to Identity Provider, and select Add:
In a new tab, go to OneLogin, navigate to Applications, and select Add App.
On the Find Applications page, search for SAML custom connector. From the filtered list, select SAML Test Connector (Advanced) for SAML 2.0.
Change the Display Name to Chili Piper. You may also optionally upload an icon to be displayed.
When finished, select Save.
Now, in the Configuration tab on the left,
- Add chilipiper.com in the Audience (Entity ID) field.
- Return to Chili Piper, and copy the Sign In URL. Paste this URL into ACS (Consumer) URL.
Locate your Tenant ID, which can be found in the Sign in URL (between /tenant/ and /sso).
- In ACS (Consumer URL Validator* paste the below, with your unique {tenant_id} in the {tenant_id} section
^https:\/\/api.chilipiper.com\/api\/v1\/saml\/tenant\/{tenant_id}\/sso
Scroll Down to SAML signature element and select "Both." All the other options can be left alone/ left blank. Click Save again.
Now, navigate the SSO tab (on the left). Click on View Details under X.509 Certificate.
This opens a new page where you can click the Download button to download the onelogin.pem file.
Back in Chili Piper, upload this file in Identity Provider under Certificate.
In OneLogin, copy the Issuer URL in the SSO tab and paste it into Chili Piper under Identity Provider ID. Then, copy SAML 2.0 Endpoint (HTTP) in OneLogin and paste it into the Identity Provider SSO URL in Chili Piper.
Make sure you grant users permission to use the app.
In Chili Piper, save the Identity Provider and click Enable. And that's it! If you have problems setting up OneLogin for Chili Piper, please contact your CSM.
How do I set up Rippling for Chili Piper?
- Log in to Chili Piper and navigate the Admin Center > Integrations > Identity Provider > Add.
-
Log in to Rippling and navigate to IT Management > Custom App > Create New App. Create your New App:
Check the box for Supports SAML, upload the Chili Piper logo, and select Update App.
- Copy the Single Sign-on URL or Target URL in Rippling and paste it to Identity Provider SSO URL in Chili Piper.
-
Copy the Issuer or IdP Entity ID in Rippling and paste it to Identity Provider ID in Chili Piper.
-
Copy X509 Certificate and upload the .crt file to CP as Certificate
-
Uncheck Deflate checkbox in Chili Piper
-
Copy Chili Piper Sign in URL and past in to Provide ACS URL in Rippling
-
Enter chilipiper.com as the Provide Service Provider Entity ID
- Save and activate in Chili Piper
- Complete the next steps in Rippling to setup User provisioning
- You can now log in with the ChiliPiper app from the Rippling home page or https://apps.chilipiper.com/login.html?sso=true with Rippling!
If you have any issues setting up Rippling SSO for Chili Piper, please contact your CSM.
How do I set up Azure for Chili Piper?
- Navigate to https://apps.chilipiper.com/admin-center/integrations
-
Expand the "Identity Provider" section
-
Open a new browser tab and navigate to the "Enterprise Applications" option under the Azure Portal
-
Under the "All applications" menu option at the Azure Console, click on "New application"
-
Click on "Create your own application"
- Choose a name that you can relate to Chili so it's easier to identify it.
-
Under the "What are you looking to do with your application?" option, select "Integrate any other application you don't find in the gallery (Non-gallery)".
-
Click on Create
-
Navigate to the "Single sign-on" option in the sidebar
-
Click on "SAML"
-
At the "Basic SAML Configuration" section, click on the pencil icon to edit the details
-
At the "Identifier (Entity ID)" field, add "chilipiper.com" as the identifier
-
The "Reply URL (Assertion Consumer Service URL)" can be copied from the Chili Piper field "Sign In URL" field
-
Navigate to the "SAML Certificates" section and download the "Certificate (Base64)"
ℹ️ Based on this documentation, please ensure that you selected the option "Sign SAML response and assertion" in Azure for "Certificate signing options." That should be the correct option selected.
- Now, let's go back to Chili Piper and complete the settings.
-
In the field called "Identity Provider ID", we can copy the value from the MS field "Microsoft Entra Identifier"
-
In the "Identity Provider SSO URL" field, we can copy the value from the MS field "Login URL"
- Upload the certificate file we downloaded from Step #14 above
- Click on "Activate"
And we are done here! At this point, we should be able to access Chili Piper through the "Log in with SSO" option at https://apps.chilipiper.com/login.html?sso=true
What should I do if I hit a "500" error or "You are lucky" error after login?
In cases where you are successfully authenticated via SSO in the SSO login page but receive a "500" or "You are lucky" message error, it might be necessary to regenerate, re-download, and re-upload your certificate file to Chili Piper. These are the steps you need to follow in order to achieve this:
- Go to the Integrations page in the Admin Center.
- Click Deactivate.
- Edit SAML.
- Upload the new certificate file back
- Save & Activate.
- Try to login again.