Single Sign-On

The final step in completely integrating Speakap into your organisation and its daily processes will be to integrate Single Sign-On (SSO) for your network. Using SSO, your employees will no longer be required to remember a separate username and password for Speakap and other applications used within your organisation. Instead, they will only have to log in once, using your organisation’s own trusted authentication solution. Your employees will gain fast and easy access to all the information and tools required to do their work.

How it works

When Single Sign-On is enabled for users within your Speakap network, they do not need to enter a password to access Speakap. Instead, after entering their username, Speakap will connect with your organisation’s Federation Server to handle authentication. In case the user is already logged in there, the user will be logged into Speakap right away. In case the user is not logged in yet, he or she will be able to authenticate with your Federation Server, after which they will be redirected back to Speakap. Your federation server acts as a so-called Identity Provider in this case.

 

 

Technical requirements

SAML 2.0

Currently, Speakap supports Single Sign-On based on the SAML 2.0 protocol. Any identity provider that supports SAML 2.0 can be used to log in to Speakap.

A well known solution which supports this is Microsoft Active Directory Federation Services (ADFS).

For details on the SAML 2.0 protocol, see the SAML 2.0 specifications.

SAML 2.0 Configuration Instructions

The following settings should be configured at the federation server in order to connect with Speakap:

Property Value
EntityID https://authenticator.speakap.io/saml
Assertion Consumer Service
Sometimes known as “Single Sign On URL”
https://authenticator.speakap.io/saml/acs
Signing Algoritm sha1
Name ID format E-Mail Address

SAML SP Medata

Some SAML 2.0 identity providers support importing a metadata-file. Our SAML metadata can be found here:  authenticator.speakap.io.xml

Microsoft ADFS Settings

When using Microsoft ADFS in combination with Active Directory, some claim rules are required in order to make sure that the correct Name ID is used with Speakap:

Rule 1

Property Value
Rule Template Send LDAP Attributes as Claims
Attribute Store Active Directory
LDAP Attribute User Principal Name*
Outgoing Claim Type E-Mail Address

Rule 2

Property Value
Rule Template Transform an Incoming Claim
Incoming Claim Type E-Mail Address
Outgoing Claim Type Name ID
Outgoing Name ID format E-mail

*  Other attributes besides ‘User Principal Name’ can be used as well. Please contact Speakap Technical Support to discuss the options.

Enabling SSO in your Speakap network

Before you can use Single Sign On in Speakap, your SAML 2.0 Identity Provider needs to be added to our configuration. Please contact Speakap Technical Support and provide the URL for your federationmetadata.xml, or supply the file directly.

White label applications

Since the regular Speakap mobile applications are not set up to use your identity provider, we need to prepare apps specific to your organisation. If you’re not already using white label versions of our apps, now is the time to set these up.

A white labeled app is an app which is published to the App Store and Google Play Store under your own company name and branding. These white labeled apps can be customised to match your company’s brand and colours. This way your Speakap network is instantly recognisable for your employees.

More information on these white label applications can be found here.

Speakap User-Sync

Single Sign-On will only work when we know which users should have access to your network. To ensure this, you will need to connect to our User-Sync application that imports and manages all your employees within Speakap. The Speakap User-Sync will run daily (or at any other desired frequency) to synchronise between the employees within your HR-Software and Speakap. This way we will ensure that only the right users will have access to the network and all the relevant information for their daily tasks.

More information on the Speakap User-Sync can be found here.

Timelines

Below you can find an overview of the timelines that apply to the process of enabling Single Sign-On for your network.

During this process it’s important to keep in contact and answer any questions as soon as possible. Delays in this might result in delays in the implementation, as we might be unable to implement some parts when essential information is missing.

Week 1 – Setting up

The exchange and configuration of SAML 2.0 configuration instructions, metadata and Microsoft ADFS claim rules.

Week 2 – 5 – Implementation

Setting up SSO is a matter of configuration, but as mentioned earlier, your network should also be ready to support our SSO flow. During the implementation, we will be creating and releasing your white label applications and implementing the User-Sync for your network.

You can read all about the requirements for these implementations on their respective documentation pages.

Week 6 – Roll out

Once your white label applications have been released in the app stores and the User-Sync is set-up we should be ready to roll out. We will plan the exact moment of roll out carefully and together.

After roll out

Once rolled out, it might be required to make changes to the set-up of the User-Sync or the white label applications.

Small changes  can usually be applied within 48 hours, but for bigger, structural changes we need some time to plan properly. We aim to have these solved within 14 days.

Please contact Speakap Technical Support if you have any request for changes.

SSO Checklist

Before we start  implementing SSO for your network, we ask you to have a look at the following checklist. Some of these items might require some investigation on your side, but having the answer to these items before starting the implementation might save us both some time in the end.

  • Does our Active Directory or HR-Software support Single Sign-On functionalities?
    • Is SAML 2.0 supported?
    • Is my Active Directory or HR-Software publicly accessible or only from within an internal network?
  • Does our network have a white label application?
  • Are we connected or going to connect to the Speakap User-Sync?
  • How do our employees currently login?
    • Is this username-based, email address based, or otherwise?
  • Are there users already using Speakap before we start to roll out SSO?
    • How are we going to migrate those existing users?
    • Do we need to communicate something to these users?