With single sign-on (SSO), your employees will be able to log in with their existing company identity, and will not need to keep a separate set of login username/password for Leapsome. Leapsome integrates with any external system capable of acting as a SAML 2.0 identity provider.
Setting up the integration
1. Configure the Leapsome App in OneLogin
- As an admin on OneLogin, go to 'Apps' > 'Add Apps'.
- Search for 'Leapsome' and select the result.
- Customize how you want the app to appear in your directory and click 'Save'.
- Go to 'App' > 'Company Apps' and open the newly added 'Leapsome' app.
- Go to the 'Configuration' tab. You will be asked for your Leapsome Account ID. You can find this ID in your Leapsome account under 'Settings' > 'Company' > 'Basic settings':
- On OneLogin, Enter your account ID and save your changes.
2. Retrieve relevant information from OneLogin
- On OneLogin, go to the SSO tab and find your X.509 certificate via 'View details'.
- Copy the certificate without the Begin / End tags and ensure there are no linebreaks.
- On OneLogin, Go back to the SSO tab and copy the SAML 2.0. Endpoint (HTTP)
3. Finalize the setup in Leapsome
- In Leapsome, enter the X.509 certificate (under 'Certificate') and the SAML 2.0 Endpoint (under 'SSO Login URL') as depicted below
- Check the 'Enable SSO' checkbox and click 'Update SSO settings'.
4. Assign users to Leapsome within OneLogin
- On OneLogin, assign the Leapsome app to the users that should be able to use Leapsome.
- That is it! The assigned users should now be able to login to Leapsome using their OneLogin credentials.
Testing the setup
You can test the setup with your own user profile. If you have set everything up correctly, you should see the button 'Sign in with company SSO' after typing in your email address on the Leapsome login screen:
After clicking that button, your users should be redirected to the OneLogin login interface.
Please note that the login via SSO will only work for invited users. Also, in case you have not 'enforced' Single Sign-on, users will be asked to create a password with their first login. The next section lists options to navigate these two limitations.
Additional customization
Enforce SSO
By default, users will always have the option to sign in with email and their Leapspome password, even if SSO is enabled. If you want to make sure that all users log in via the SSO flow, please navigate to SSO settings in Leapsome, tick the box 'Enforce SSO' and confirm by clicking 'Update SSO Settings'.
Like that, all users within your account can only log in to Leapsome by using SSO. Please make sure that you set up SSO correctly for all users in your organization, as they otherwise won't be able to access Leapsome.
All newly invited users will not see an option to create a password when they sign in for the first time while SSO is enforced.
Logging in without receiving an invitation
By default, users can only log in to Leapsome once they received an invitation to the platform. To reduce the workload on your end when onboarding users to Leapsome, you have a few options to make the invitation and signup process as smooth as possible.
1. Automate the invitation process using one of our HRIS integrations
If you are using an HRIS for provisioning users to Leapsome, you have the option to automatically send invitations to newly provisioned users. Like that, they will be able to use SSO from the get-go, if you have enforced SSO.
2. Enable just-in-time-provisioning for your IDP
Some IDPs like Azure AD offer just-in-time provisioning for your user base. Like that, user profiles will be created immediately once a user from your organization tries to login to Leapsome. When JIT provisioning is enabled, it is not necessary to invite your users for them to be able to log in to Leapsome. Please note that JIT provisioning cannot be used, if you are also using an HRIS integration. Please reach out to Leapsome support to allow JIT for your account. Please note that JIT can only be enabled for one domain.
Leapsome also recognizes the attributes
- firstname (the employee's given name)
- lastname (the employee's last name)
- title (the job title of the employee)
- picture (an URL to the employee's picture)
in the namespace http://schemas.xmlsoap.org/ws/2005/05/identity/claims/. Using these will allow you to point your employees directly to the login URL and prepopulate relevant information when they sign in for the first time.
3. Reach out to us
If you fully want to avoid sending invitations, our Support team can switch off invitations for your account in the backend. Like that, you can enable an automatic sendout of invitations, without actually sending any notification or emails to the team. Please note that this is only possible, if all of your users use the same email-domain. If you want to learn more about this, contact our Support team from the 'Help' button in Leapsome.
Frequently asked questions
A user does not have the option to log in via SSO - why could that be?
Usually, this issue occurs when a user is not assigned/granted access to the Leapsome app in the settings of your IDP. Please make sure that there is an automation or workflow in place, that ensures that e.g. people joining your company will be granted access to Leapsome on IDP-side.
Please also double-check that this user has an account in Leapsome that is using the same email as in your IDP, and has received an invitation. You can check this in the 'Employees' section in Leapsome.
How can we access Leapsome in case we have SSO enforced and our IDP is down?
In this case, please reach out to your Customer Success Manager or our Support Team to define the next steps.
Can we set up 2-factor-authentication for the Leapsome login?
This is generally possible and has to be set up on IDP side.
Is there a way to disable the 'Sign in with Google' button, once we have set up SSO via another provider?
This is currently not possible. The option to 'Sign in with Google' (OAuth2) will still show on the login screen, even when SAML-based SSO is activated. Only once you decide to 'enforce' SAML SSO, the 'Sign in with Google' button will no longer show.
Can I connect one IDP to multiple Leapsome accounts?
This is not possible, since the 'Entity ID's would not be unique. In such case, only one Leapsome account can use that IDP for SSO. Please note, that for user provisioning, it is possible to connect the same IDP to multiple Leapsome accounts.
What are the steps to login?
If you use the SSO via Okta or Azure AD, then you can either log in from within that IDP ("My apps"). Please not that this may need additional configuration on IDP side. Alternatively you can go to the Leapsome login page, enter your email > continue, and you will see the button to 'Sign in with Company SSO.'
I want to switch my SSO provider (IDP) - What do I need to keep in mind to prevent login issues?
If you switch your IDP (e.g. from Okta to Entra ID), you will need to disable SSO from within your old IDP, and follow our SSO setup guide for your new provider. Since Leapsome can only connect to one IDP as SAML SSO provider at a time, logins from our login page will start using your new IDP, as soon as you've completed the setup.
You then will just need to make sure, that within your old IDP you remove the 'Leapsome App' to prevent Login attempts to Leapsome from within your IDP (e.g. using "My apps").
Ideally you perform the switch at a time the majority of your users is not using Leapsome (e.g. in the evening), to give you time to debug potential setup issues with your new IDP. To prevent you from getting locked out, please also make sure to not 'enforce' SSO for the time of the setup. You can re-enable it as soon as you were able to test SSO for Leapsome with the new IDP.