With single sign-on (SSO), your employees will be able to log in with their existing company identity, and will not need to keep a separate set of login username/password for Leapsome. Leapsome integrates with any external system capable of acting as a SAML 2.0 identity provider.
What is SAML?
SAML (Security Assertion Markup Language) is a popular open standard for authentication and authorization between two parties. These parties are referred to as an identity providers (IDP), such as Microsoft Azure Active Directory, Okta, OneLogin, and a service provider application such as Leapsome. The user sign-in flow can be initiated both from the service provider website as well as directly from an identity provider’s app portal page.
Why should I use single sign-on (SSO) for my organization?
Here are a few reasons why using SSO for your organization is highly recommended:
- It gives organizations centralized control over who has access to their systems.
- It enforces better password policies.
- It eliminates password fatigue.
- It reduces the need for unsafe password management strategies and training.
- It lowers password-related calls to IT, which saves money on IT expenditures.
- It boosts overall productivity due to faster log-ins and fewer lost passwords.
- It reduces the threat of data breaches by moving ID/authentication data off-premises.
Configuration
If your existing identity management system supports the SAML 2.0 protocol it can be configured as the SSO for Leapsome. Popular hosted services with SAML support include Google Workspace, Microsoft Azure Active Directory, Okta, OneLogin, and others.
In case you are using any of the tools listed below as your identity provider, please follow the tool-specific guides to complete the SSO setup for Leapsome:
- Setting up SSO with Google Workspace
- Setting up SSO with OneLogin
- Setting up SSO with Active Directory ADFS
- Setting up SSO with Azure AD
If you are using any other identity provider, please follow the steps below.
1. Retrieving relevant information from Leapsome
As an Admin in Leapsome, you can set up SSO for your account under 'Settings' > 'Integrations and imports' > 'Single Sign On (SSO)'. There, you can find data that your identity provider may require from Leapsome for the setup, including:
- Metadata
- Entity ID
- Login URL
- Reply URL
2. Setting up SSO within your identity provider
Within your identity provider, prepare SSO for Leapsome according to its requirements and paste the required information you found in Leapsome in Step 1.
In the end, you will need to provide the following data from your identity provider to Leapsome:
- SSO Login URL
- Base64-encoded certificate
Paste these into the respective fields in Leapsome. Please note that this can only be done by a super-admin.
When configuring the integration in your identity provider, make sure that your system provides the user's email address as user identifier/nameID.
3. Finalizing the setup in Leapsome
After finalizing the setup within your identity provider and pasting your SSO Login URL as well as the Base64-encoded certificate to Leapsome, please tick the option 'Enable SAML-based single sign-on' and confirm your settings by clicking 'Update SSO settings'.
You can test the setup with your own user profile. If you have set everything up correctly, you should see the button 'Sign in with company SSO' after typing in your email address on the Leapsome login screen:
After clicking that button, your users should be redirected to your company's login interface.
Please note that the login via SSO will only work for invited users. Also, in case you have not 'enforced' Single Sign-on, users will be asked to create a password with their first login. The next section lists options to navigate these two limitations.
Additional customization
Enforce SSO
By default, users will always have the option to sign in with email and their Leapspome password, even if SSO is enabled. If you want to make sure that all users log in via the SSO flow, please navigate to SSO settings in Leapsome, tick the box 'Enforce SSO' and confirm by clicking 'Update SSO Settings'.
Like that, all users within your account can only log in to Leapsome by using SSO. Please make sure that you set up SSO correctly for all users in your organization, as they otherwise won't be able to access Leapsome.
All newly invited users will not see an option to create a password when they sign in for the first time while SSO is enforced.
Logging in without receiving an invitation
By default, users can only log in to Leapsome once they received an invitation to the platform. To reduce the workload on your end when onboarding users to Leapsome, you have a few options to make the invitation and signup process as smooth as possible.
1. Automate the invitation process using one of our HRIS integrations
If you are using an HRIS for provisioning users to Leapsome, you have the option to automatically send invitations to newly provisioned users. Like that, they will be able to use SSO from the get-go, if you have enforced SSO.
2. Enable just-in-time-provisioning for your IDP
Some IDPs like Azure AD offer just-in-time provisioning for your user base. Like that, user profiles will be created immediately once a user from your organization tries to login to Leapsome. When JIT provisioning is enabled, it is not necessary to invite your users for them to be able to log in to Leapsome. Please note that JIT provisioning cannot be used, if you are also using an HRIS integration. Please reach out to Leapsome support to allow JIT for your account. Please note that JIT can only be enabled for one domain.
Leapsome also recognizes the attributes
- firstname (the employee's given name)
- lastname (the employee's last name)
- title (the job title of the employee)
- picture (an URL to the employee's picture)
in the namespace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/. Using these will allow you to point your employees directly to the login URL and prepopulate relevant information when they sign in for the first time.
3. Reach out to us
If you fully want to avoid sending invitations, our Support team can switch off invitations for your account in the backend. Like that, you can enable an automatic sendout of invitations, without actually sending any notification or emails to the team. Please note that this is only possible, if all of your users use the same email-domain. If you want to learn more about this, contact our Support team from the 'Help' button in Leapsome.
Frequently asked questions
A user does not have the option to log in via SSO - why could that be?
Usually, this issue occurs when a user is not assigned/granted access to the Leapsome app in the settings of your IDP. Please make sure that there is an automation or workflow in place, that ensures that e.g. people joining your company will be granted access to Leapsome on IDP-side.
Please also double-check that this user has an account in Leapsome that is using the same email as in your IDP, and has received an invitation. You can check this in the 'Employees' section in Leapsome.
How can we access Leapsome in case we have SSO enforced and our IDP is down?
In this case, please reach out to your Customer Success Manager or our Support Team to define the next steps.
Can we set up 2-factor-authentication for the Leapsome login?
This is generally possible and has to be set up on IDP side.
Is there a way to disable the 'Sign in with Google' button, once we have set up SSO via another provider?
This is currently not possible. The option to 'Sign in with Google' (OAuth2) will still show on the login screen, even when SAML-based SSO is activated. Only once you decide to 'enforce' SAML SSO, the 'Sign in with Google' button will no longer show.
Can I connect one IDP to multiple Leapsome accounts?
This is not possible, since the 'Entity ID's would not be unique. In such case, only one Leapsome account can use that IDP for SSO. Please note, that for user provisioning, it is possible to connect the same IDP to multiple Leapsome accounts.
What are the steps to login?
If you use the SSO via Okta or Azure AD, then you can either log in from within that IDP ("My apps"). Please not that this may need additional configuration on IDP side. Alternatively you can go to the Leapsome login page, enter your email > continue, and you will see the button to 'Sign in with Company SSO.'
I want to switch my SSO provider (IDP) - What do I need to keep in mind to prevent login issues?
If you switch your IDP (e.g. from Okta to Entra ID), you will need to disable SSO from within your old IDP, and follow our SSO setup guide for your new provider. Since Leapsome can only connect to one IDP as SAML SSO provider at a time, logins from our login page will start using your new IDP, as soon as you've completed the setup.
You then will just need to make sure, that within your old IDP you remove the 'Leapsome App' to prevent Login attempts to Leapsome from within your IDP (e.g. using "My apps").
Ideally you perform the switch at a time the majority of your users is not using Leapsome (e.g. in the evening), to give you time to debug potential setup issues with your new IDP. To prevent you from getting locked out, please also make sure to not 'enforce' SSO for the time of the setup. You can re-enable it as soon as you were able to test SSO for Leapsome with the new IDP.