Single Sign-On
The final step in completely integrating Speakap into your organisation and its daily processes will be to integrate Single Sign-On (SSO) for your network. Using SSO, your employees will no longer be required to remember a separate username and password for Speakap and other applications used within your organisation. Instead, they will only have to log in once, using your organisation’s own trusted authentication solution. Your employees will gain fast and easy access to all the information and tools required to do their work.
How it works
When Single Sign-On is enabled for users within your Speakap network, they do not need to enter a password to access Speakap. Instead, after entering their username, Speakap will connect with your organisation’s Federation Server to handle authentication. In case the user is already logged in there, the user will be logged into Speakap right away. In case the user is not logged in yet, he or she will be able to authenticate with your Federation Server, after which they will be redirected back to Speakap. Your federation server acts as a so-called Identity Provider in this case.
Technical requirements
SAML 2.0
Currently, Speakap supports Single Sign-On based on the SAML 2.0 protocol. Any identity provider that supports SAML 2.0 can be used to log in to Speakap.
A well known solution which supports this is Microsoft Active Directory Federation Services (ADFS).
For details on the SAML 2.0 protocol, see the SAML 2.0 specifications.
SAML 2.0 Configuration Instructions
The following settings should be configured at the federation server in order to connect with Speakap:
Property | Value |
---|---|
EntityID | EU: https://authenticator.speakap.io/saml USA: https://authenticator.usa.speakap.io/saml |
Assertion Consumer Service Sometimes known as "Single Sign On URL" | EU: https://authenticator.speakap.io/saml/acs USA: https://authenticator.usa.speakap.io/saml/acs |
Signing Algoritm | sha1 |
Name ID format | E-Mail Address |
SAML SP Metadata
Some SAML 2.0 identity providers support importing a metadata-file. Our SAML metadata can be found here:
Microsoft ADFS Settings
When using Microsoft ADFS in combination with Active Directory, some claim rules are required in order to make sure that the correct Name ID is used with Speakap:
Rule 1
Property | Value |
---|---|
Rule Template | Send LDAP Attributes as Claims |
Attribute Store | Active Directory |
LDAP Attribute | User Principal Name* |
Outgoing Claim Type | E-Mail Address |
Rule 2
Property | Value |
---|---|
Rule Template | Transform an Incoming Claim |
Incoming Claim Type | E-Mail Address |
Outgoing Claim Type | Name ID |
Outgoing Name ID format | E-Mail Address |
*Other attributes besides ‘User Principal Name’ can be used as well. Please contact Speakap Technical Support to discuss the options.
Enabling SSO in your Speakap network
Before you can use Single Sign On in Speakap, your SAML 2.0 Identity Provider needs to be added to our configuration. Please contact Speakap Technical Support and provide the URL for your federationmetadata.xml, or supply the file directly.
White label applications
Since the regular Speakap mobile applications are not set up to use your identity provider, we need to prepare apps specific to your organisation. If you’re not already using white label versions of our apps, now is the time to set these up.
A white labeled app is an app which is published to the App Store and Google Play Store under your own company name and branding. These white labeled apps can be customised to match your company’s brand and colours. This way your Speakap network is instantly recognisable for your employees.
More information on these white label applications can be found here.
Speakap User-Sync
Single Sign-On will only work when we know which users should have access to your network. To ensure this, you will need to connect to our User-Sync application that imports and manages all your employees within Speakap. The Speakap User-Sync will run daily (or at any other desired frequency) to synchronise between the employees within your HR-Software and Speakap. This way we will ensure that only the right users will have access to the network and all the relevant information for their daily tasks.
More information on the Speakap User-Sync can be found here.
Timelines
Below you can find an overview of the timelines that apply to the process of enabling Single Sign-On for your network.
During this process it’s important to keep in contact and answer any questions as soon as possible. Delays in this might result in delays in the implementation, as we might be unable to implement some parts when essential information is missing.
Week 1 – Setting up
The exchange and configuration of SAML 2.0 configuration instructions, metadata and Microsoft ADFS claim rules.
Week 2 – 5 – Implementation
Setting up SSO is a matter of configuration, but as mentioned earlier, your network should also be ready to support our SSO flow. During the implementation, we will be creating and releasing your white label applications and implementing the User-Sync for your network.
You can read all about the requirements for these implementations on their respective documentation pages.
Week 6 – Roll out
Once your white label applications have been released in the app stores and the User-Sync is set-up we should be ready to roll out. We will plan the exact moment of roll out carefully and together.
After roll out
Once rolled out, it might be required to make changes to the set-up of the User-Sync or the white label applications.
Small changes can usually be applied within 48 hours, but for bigger, structural changes we need some time to plan properly. We aim to have these solved within 14 days.
Please contact Speakap Technical Support if you have any request for changes.
SSO Checklist
Before we start implementing SSO for your network, we ask you to have a look at the following checklist. Some of these items might require some investigation on your side, but having the answer to these items before starting the implementation might save us both some time in the end.
- Does our Active Directory or HR-Software support Single Sign-On functionalities?
- Is SAML 2.0 supported?
- Is my Active Directory or HR-Software publicly accessible or only from within an internal network?
- Does our network have a white label application?
- Are we connected or going to connect to the Speakap User-Sync?
- How do our employees currently login?
- Is this username-based, email address based, or otherwise?
- Are there users already using Speakap before we start to roll out SSO?
- How are we going to migrate those existing users?
- Do we need to communicate something to these users?