With single sign-on (SSO), your employees will be able to log in with their existing company identity, and will not need to keep a separate set of login username/password for Leapsome. Leapsome integrates with any external system capable of acting as a SAML 2.0 identity provider.
Okta can be used for both Single Sign-On and User Provisioning. If you want to learn more about setting up user provisioning with Okta, please have a look at this article.
Supported Features
The Okta/Leapsome SAML integration currently supports the following features:
- IdP-initiated SSO
- SP-initiated SSO
- JIT (Just In Time) Provisioning - To enable JIT, please send us a support request
Configuration
To configure SSO with Okta, you will need Admin access to both Okta and Leapsome.
1. Enable SSO and retrieve relevant information from Leapsome
As an Admin in Leapsome, you can set up SSO for your account under 'Settings' > 'Integrations' > 'Single Sign-On (SSO)'. First, you would need to mark the checkbox "Enable SAML-based single sign-on".
In the same page, you can find the Client ID that Okta will require from Leapsome for the setup:
- Client ID = Leapsome account ID included in the Metadata URL
2. Enter Client ID and Get SSO Login URL and Certificate from Okta
As Admin in Okta, you will need to retrieve relevant information required for the set-up. This article assumes you have the Leapsome app already installed in Okta. If that is not the case, please refer to the user provisioning with Okta article.
Within Okta, you want to navigate to the Applications > Leapsome > Sign On and click "Edit".
Scroll down to the field "Client ID" and enter the value you copied within Leapsome.
Next, you want to copy the fields "Metadata URL" and your certificate. The certificate is available under SAML Signing Certificates > View IdP metadata. Please make sure only to copy the alphanumeric part between the two elements " <ds:X509Certificate> ".
If you have trouble finding the correct Metadata URL and certificate, Okta provides these values and an additional instruction via "View SAML instructions" on the right-side of the Sign on Settings.
3. Paste SSO Login URL and Certificate in Leapsome
Now head back to Leapsome's 'Settings' > 'Integrations and imports' > 'SIngle Sign On (SSO)' and copy the SSO Login URL and certificate to the relevant fields. Make sure to save your settings via 'Update SSO settings' after.
4. Login via SSO
Now you are good to go. To login to Leapsome via Okta SSO simply head to the Leapsome login page and enter your email. Once you click 'Continue' users will be asked to 'Sign in with Company SSO' and be redirected to Okta.
Additional customization
Enforce SSO
By default, users will always have the option to sign in with email and their Leapspome password, even if SSO is enabled. If you want to make sure that all users log in via the SSO flow, please navigate to SSO settings in Leapsome, tick the box 'Enforce SSO' and confirm by clicking 'Update SSO Settings'.
Like that, all users within your account can only log in to Leapsome by using SSO. Please make sure that you set up SSO correctly for all users in your organization, as they otherwise won't be able to access Leapsome.
All newly invited users will not see an option to create a password when they sign in for the first time while SSO is enforced.
Logging in without receiving an invitation
By default, users can only log in to Leapsome once they received an invitation to the platform. To reduce the workload on your end when onboarding users to Leapsome, you have a few options to make the invitation and signup process as smooth as possible.
1. Automate the invitation process using one of our HRIS integrations
If you are using an HRIS for provisioning users to Leapsome, you have the option to automatically send invitations to newly provisioned users. Like that, they will be able to use SSO from the get-go, if you have enforced SSO.
2. Enable just-in-time-provisioning for your IDP
Some IDPs like Azure AD offer just-in-time provisioning for your user base. Like that, user profiles will be created immediately once a user from your organization tries to login to Leapsome. When JIT provisioning is enabled, it is not necessary to invite your users for them to be able to log in to Leapsome. Please note that JIT provisioning cannot be used, if you are also using an HRIS integration. Please reach out to Leapsome support to allow JIT for your account. Please note that JIT can only be enabled for one domain.
Leapsome also recognizes the attributes
- firstname (the employee's given name)
- lastname (the employee's last name)
- title (the job title of the employee)
- picture (an URL to the employee's picture)
in the namespace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/. Using these will allow you to point your employees directly to the login URL and prepopulate relevant information when they sign in for the first time.
3. Reach out to us
If you fully want to avoid sending invitations, our Support team can switch off invitations for your account in the backend. Like that, you can enable an automatic sendout of invitations, without actually sending any notification or emails to the team. Please note that this is only possible, if all of your users use the same email-domain. If you want to learn more about this, contact our Support team from the 'Help' button in Leapsome.
Frequently asked questions
A user does not have the option to log in via SSO - why could that be?
Usually, this issue occurs when a user is not assigned/granted access to the Leapsome app in the settings of your IDP. Please make sure that there is an automation or workflow in place, that ensures that e.g. people joining your company will be granted access to Leapsome on IDP-side.
Please also double-check that this user has an account in Leapsome that is using the same email as in your IDP, and has received an invitation. You can check this in the 'Employees' section in Leapsome.
How can we access Leapsome in case we have SSO enforced and our IDP is down?
In this case, please reach out to your Customer Success Manager or our Support Team to define the next steps.
Can we set up 2-factor-authentication for the Leapsome login?
This is generally possible and has to be set up on IDP side.
Is there a way to disable the 'Sign in with Google' button, once we have set up SSO via another provider?
This is currently not possible. The option to 'Sign in with Google' (OAuth2) will still show on the login screen, even when SAML-based SSO is activated. Only once you decide to 'enforce' SAML SSO, the 'Sign in with Google' button will no longer show.
Can I connect one IDP to multiple Leapsome accounts?
This is not possible, since the 'Entity ID's would not be unique. In such case, only one Leapsome account can use that IDP for SSO. Please note, that for user provisioning, it is possible to connect the same IDP to multiple Leapsome accounts.
What are the steps to login?
If you use the SSO via Okta or Azure AD, then you can either log in from within that IDP ("My apps"). Please not that this may need additional configuration on IDP side. Alternatively you can go to the Leapsome login page, enter your email > continue, and you will see the button to 'Sign in with Company SSO.'
I want to switch my SSO provider (IDP) - What do I need to keep in mind to prevent login issues?
If you switch your IDP (e.g. from Okta to Entra ID), you will need to disable SSO from within your old IDP, and follow our SSO setup guide for your new provider. Since Leapsome can only connect to one IDP as SAML SSO provider at a time, logins from our login page will start using your new IDP, as soon as you've completed the setup.
You then will just need to make sure, that within your old IDP you remove the 'Leapsome App' to prevent Login attempts to Leapsome from within your IDP (e.g. using "My apps").
Ideally you perform the switch at a time the majority of your users is not using Leapsome (e.g. in the evening), to give you time to debug potential setup issues with your new IDP. To prevent you from getting locked out, please also make sure to not 'enforce' SSO for the time of the setup. You can re-enable it as soon as you were able to test SSO for Leapsome with the new IDP.