With single sign-on (SSO), your employees will be able to log in with their existing company identity, and will not need to keep a separate set of login username/password for Leapsome. Leapsome integrates with any external system capable of acting as a SAML 2.0 identity provider.
Microsoft Azure AD can be used for both Single Sign-On and User Provisioning. If you want to learn more about setting up user provisioning with Azure AD, please have a look at this article.
Configuration
Retrieving relevant information from Leapsome
As an Admin in Leapsome, you can set up SSO for your account under 'Settings' > 'Integrations' > 'Single Sign-On (SSO)'. There, you can find data that Azure AD will require from Leapsome for the setup, including:
- Entity ID
- Login URL
- Reply URL
Setting up SSO within Azure AD
1. Create a Leapsome Application in Azure AD
- In Azure AD, navigate to 'Enterprise Applications' and click on '+ New Application'
- There, depending on your desired setup, you have the option to either create a custom application or use our preset Gallery Application
- If you want to use Azure AD for both User Provisioning and SSO, we recommend you to set up a custom application - In this case, please configure User Provisioning first as described in this article and return to this documentation later on
- If you want to use Azure AD exclusively for SSO with Leapsome, you can save some time and select our Gallery Application
2. Edit Basic SAML Configuration
Go to the App you just created and navigate to 'Single-Sign On' > 'SAML'. Within 'Basic SAML Configuration', please enter the following information:
- Identifer (Entity ID): https://www.leapsome.com
- Reply URL (Assertion Consumer Service URL): 'Reply URL' from your Leapsome SSO settings
- Sign on URL (optional): 'Login URL' form your Leapsome SSO settings
3. Download your Base64 Certificate
Navigate to the section 'SAML Certificates', look for 'Certificate (Base64)', and click 'Download'.
Open the certificate e.g. in a Text Editor App, and copy the full certificate. Navigate to Leapsome's SSO settings, and paste the full certificate into the field 'Certificate'.
4. Copy your Login URL
Navigate to the section 'Set up Leapsome' and copy the 'Login URL'
Navigate to Leapsome's SSO settings, and paste the Login URL into the 'SSO Login URL' field.
5. Test SSO
In Leapsome, check the box 'Enable SAML-Based single sign-on', and confirm by clicking 'Update SSO settings'.
In Azure, you can now 'Test' single sign-on with Leapsome to see if the Login works as expected.
Please keep in mind that this will only work for your own account for now, as you have not yet assigned any other users to the Application. Once the test was successful, you can set up SSO for the rest of your team.
Assign Users
In Azure, navigate to your Leapsome Application, and select the tab 'Users & Groups'. There you can add all users and Groups to the Application, to allow them to use Azure AD SSO when logging in to Leapsome. Especially if you are using a different tool for User Provisioning, please double-check that all users who are using Leapsome are added here, and use the same email address in Leapsome as in Azure AD.
Once that is done, your colleagues can log in to Leapsome using their Azure AD credentials.
The SSO Login flow
With SSO enabled, Leapsome shows a 'Sign in with SSO' button during the login process, if it recognizes that the user's email belongs to an organization using SSO.
Upon clicking 'Sign in with Company SSO', the user gets redirected to your organization's login interface, provided by Azure AD.
Please note that the login via SSO will only work for 'invited' or 'active' Leapsome users. Also, in case you have not 'enforced' Single Sign-on, users will be asked to create a password with their first login. The next section lists options to navigate these two limitations.
Additional customization
Enforce SSO
By default, users will always have the option to sign in with email and their Leapspome password, even if SSO is enabled. If you want to make sure that all users log in via the SSO flow, please navigate to SSO settings in Leapsome, tick the box 'Enforce SSO' and confirm by clicking 'Update SSO Settings'.
Like that, all users within your account can only log in to Leapsome by using SSO. Please make sure that you set up SSO correctly for all users in your organization, as they otherwise won't be able to access Leapsome.
All newly invited users will not see an option to create a password when they sign in for the first time while SSO is enforced.
Logging in without receiving an invitation
By default, users can only log in to Leapsome once they received an invitation to the platform. To reduce the workload on your end when onboarding users to Leapsome, you have a few options to make the invitation and signup process as smooth as possible.
1. Automate the invitation process using one of our HRIS integrations
If you are using an HRIS for provisioning users to Leapsome, you have the option to automatically send invitations to newly provisioned users. Like that, they will be able to use SSO from the get-go, if you have enforced SSO.
2. Enable just-in-time-provisioning for your IDP
Some IDPs like Azure AD offer just-in-time provisioning for your user base. Like that, user profiles will be created immediately once a user from your organization tries to login to Leapsome. When JIT provisioning is enabled, it is not necessary to invite your users for them to be able to log in to Leapsome. Please note that JIT provisioning cannot be used, if you are also using an HRIS integration. Please reach out to Leapsome support to allow JIT for your account. Please note that JIT can only be enabled for one domain.
Leapsome also recognizes the attributes
- firstname (the employee's given name)
- lastname (the employee's last name)
- title (the job title of the employee)
- picture (an URL to the employee's picture)
in the namespace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/. Using these will allow you to point your employees directly to the login URL and prepopulate relevant information when they sign in for the first time.
3. Reach out to us
If you fully want to avoid sending invitations, our Support team can switch off invitations for your account in the backend. Like that, you can enable an automatic sendout of invitations, without actually sending any notification or emails to the team. Please note that this is only possible, if all of your users use the same email-domain. If you want to learn more about this, contact our Support team from the 'Help' button in Leapsome.
Frequently asked questions
A user does not have the option to log in via SSO - why could that be?
Usually, this issue occurs when a user is not assigned/granted access to the Leapsome app in the settings of your IDP. Please make sure that there is an automation or workflow in place, that ensures that e.g. people joining your company will be granted access to Leapsome on IDP-side.
Please also double-check that this user has an account in Leapsome that is using the same email as in your IDP, and has received an invitation. You can check this in the 'Employees' section in Leapsome.
How can we access Leapsome in case we have SSO enforced and our IDP is down?
In this case, please reach out to your Customer Success Manager or our Support Team to define the next steps.
Can we set up 2-factor-authentication for the Leapsome login?
This is generally possible and has to be set up on IDP side.
Is there a way to disable the 'Sign in with Google' button, once we have set up SSO via another provider?
This is currently not possible. The option to 'Sign in with Google' (OAuth2) will still show on the login screen, even when SAML-based SSO is activated. Only once you decide to 'enforce' SAML SSO, the 'Sign in with Google' button will no longer show.
Can I connect one IDP to multiple Leapsome accounts?
This is not possible, since the 'Entity ID's would not be unique. In such case, only one Leapsome account can use that IDP for SSO. Please note, that for user provisioning, it is possible to connect the same IDP to multiple Leapsome accounts.
What are the steps to login?
If you use the SSO via Okta or Azure AD, then you can either log in from within that IDP ("My apps"). Please not that this may need additional configuration on IDP side. Alternatively you can go to the Leapsome login page, enter your email > continue, and you will see the button to 'Sign in with Company SSO.'
I want to switch my SSO provider (IDP) - What do I need to keep in mind to prevent login issues?
If you switch your IDP (e.g. from Okta to Entra ID), you will need to disable SSO from within your old IDP, and follow our SSO setup guide for your new provider. Since Leapsome can only connect to one IDP as SAML SSO provider at a time, logins from our login page will start using your new IDP, as soon as you've completed the setup.
You then will just need to make sure, that within your old IDP you remove the 'Leapsome App' to prevent Login attempts to Leapsome from within your IDP (e.g. using "My apps").
Ideally you perform the switch at a time the majority of your users is not using Leapsome (e.g. in the evening), to give you time to debug potential setup issues with your new IDP. To prevent you from getting locked out, please also make sure to not 'enforce' SSO for the time of the setup. You can re-enable it as soon as you were able to test SSO for Leapsome with the new IDP.