With single sign-on (SSO), your employees will be able to log in with their existing company identity, and will not need to keep a separate set of login username/password for Leapsome. Leapsome integrates with any external system capable of acting as a SAML 2.0 identity provider.
What is SAML?
SAML (Security Assertion Markup Language) is a popular open standard for authentication and authorization between two parties. These parties are referred to as an identity providers (IDP), such as Microsoft Azure Active Directory, Okta, OneLogin, and a service provider application such as Leapsome. The user sign-in flow can be initiated both from the service provider website as well as directly from an identity provider’s app portal page.
Why should I use single sign-on (SSO) for my organization?
Here are a few reasons why using SSO for your organization is highly recommended:
- It gives organizations centralized control over who has access to their systems.
- It enforces better password policies.
- It eliminates password fatigue.
- It reduces the need for unsafe password management strategies and training.
- It lowers password-related calls to IT, which saves money on IT expenditures.
- It boosts overall productivity due to faster log-ins and fewer lost passwords.
- It reduces the threat of data breaches by moving ID/authentication data off-premises.
If your existing identity management system supports the SAML 2.0 protocol it can be configured as the SSO for Leapsome. Popular hosted services with SAML support include Google Workspace, Microsoft Azure Active Directory, Okta, OneLogin, and others.
In case you are using any of the tools listed below as your identity provider, please follow the tool-specific guides to complete the SSO setup for Leapsome:
- Setting up SSO with Google Workspace
- Setting up SSO with OneLogin
- Setting up SSO with Active Directory ADFS
- Setting up SSO with Azure AD
If you are using any other identity provider, please follow the steps below.
1. Retrieving relevant information from Leapsome
As an Admin in Leapsome, you can set up SSO for your account under 'Settings' > 'Integrations' > 'Single Sign-On (SSO)'. There, you can find data that your identity provider may require from Leapsome for the setup, including:
- Entity ID
- Login URL
- Reply URL
2. Setting up SSO within your identity provider
Within your identity provider, prepare SSO for Leapsome according to its requirements and paste the required information you found in Leapsome in Step 1.
In the end, you will need to provide the following data from your identity provider to Leapsome:
- SSO Login URL
- Base64-encoded certificate
Paste these into the respective fields in Leapsome. Please note that this can only be done by a super-admin.
When configuring the integration in your identity provider, make sure that your system provides the user's email address as user identifier/nameID.
3. Finalizing the setup in Leapsome
After finalizing the setup within your identity provider and pasting your SSO Login URL as well as the Base64-encoded certificate to Leapsome, please tick the option 'Enable SAML-based single sign-on' and confirm your settings by clicking 'Update SSO settings'.
You can test the setup with your own user profile. If you have set everything up correctly, you should see the button 'Sign in with company SSO' after typing in your email address on the Leapsome login screen:
After clicking that button, your users should be redirected to your company's login interface.
Please note that the login via SSO will only work for invited users. Also, in case you have not 'enforced' Single Sign-on, users will be asked to create a password with their first login. The next section lists options to navigate these two limitations.
By default, users will always have the option to sign in with email and their Leapspome password, even if SSO is enabled. If you want to make sure that all users log in via the SSO flow, please navigate to SSO settings in Leapsome, tick the box 'Enforce SSO' and confirm by clicking 'Update SSO Settings'.
Like that, all users within your account can only log in to Leapsome by using SSO. Please make sure that you set up SSO correctly for all users in your organization, as they otherwise won't be able to access Leapsome.
All newly invited users will not see an option to create a password when they sign in for the first time while SSO is enforced.
Logging in without receiving an invitation
By default, users can only log in to Leapsome once they received an invitation to the platform. To reduce the workload on your end when onboarding users to Leapsome, you have a few options to make the invitation and signup process as smooth as possible.
1. Automate the invitation process using one of our HRIS integrations
If you are using an HRIS for provisioning users to Leapsome, you have the option to automatically send invitations to newly provisioned users. Like that, they will be able to use SSO from the get-go, if you have enforced SSO.
2. Enable just-in-time-provisioning for your IDP
Some IDPs like Azure AD offer just-in-time provisioning for your user base. Like that, user profiles will be created immediately once a user from your organization tries to login to Leapsome. When JIT provisioning is enabled, it is not necessary to invite your users for them to be able to log in to Leapsome. Please note that JIT provisioning cannot be used, if you are also using an HRIS integration. Please reach out to Leapsome support to allow JIT for your account. Please note that JIT can only be enabled for one domain.
Leapsome also recognizes the attributes
- firstname (the employee's given name)
- lastname (the employee's last name)
- title (the job title of the employee)
- picture (an URL to the employee's picture)
in the namespace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/. Using these will allow you to point your employees directly to the login URL and prepopulate relevant information when they sign in for the first time.
3. Reach out to us
If you fully want to avoid sending invitations, our Support team can switch off invitations for your account in the backend. Like that, you can enable an automatic sendout of invitations, without actually sending any notification or emails to the team. Please note that this is only possible, if all of your users use the same email-domain. If you want to learn more about this, contact our Support team from the 'Help' button in Leapsome.
Frequently asked questions
A user does not have the option to log in via SSO - why could that be?
Usually, this issue occurs when a user is not assigned/granted access to the Leapsome app in the settings of your IDP. Please make sure that there is an automation or workflow in place, that ensures that e.g. people joining your company will be granted access to Leapsome on IDP-side.
Please also double-check that this user has an account in Leapsome that is using the same email as in your IDP, and has received an invitation. You can check this in the 'Users & Teams' section in Leapsome.
How can we access Leapsome in case we have SSO enforced and our IDP is down?
In this case, please reach out to your Customer Success Manager or our Support Team to define next steps.
Can we set up 2-factor-authentication for the Leapsome login?
This is generally possible and has to be set up on IDP side.
Is there a way to disable the 'Sign in with Google' button, once we have set up SSO via another provider?
This is currently not possible. The option to 'Sign in with Google' (OAuth2) will still show on the login screen, even when SAML-based SSO is activated.
What are the steps to login?
If you use the SSO via Okta, then you can click the login link in Okta. You can also go to the Leapsome login page, enter your email > continue, and you will see the button to 'Sign in with your Company SSO.'