Enabling SSO with Onelogin as the Identity Provider
In this article
What is SSO?
Single sign-on (or SSO) is a way to authenticate and log-in to an application with just one set of credentials, rather than having to set up multiple usernames and passwords across different platforms. It's a more secure process and prevents potentially losing or forgetting log-in credentials since it's stored through another service.
SAML is an open standard for allowing single sign-on between 2 systems: A Service Provider (that's Help Scout) and an Identity Provider (that's the system storing your organization's user database e.g. Okta, Onelogin etc.).
Setting up SSO with Onelogin
This section explains step by step how to configure SAML Single Sign-On between Help Scout and Onelogin as the Identity Provider. If you are using a different Identity Provider please see the Enabling SSO with a Generic Identity Provider article.
Note: Service Provider (Help Scout) provisioning is not supported. Accounts should be created first in the IdP or Help Scout, and then authenticated via the IdP prior to logging in to Help Scout.
You'll need to be the Account Owner or an Administrator to get this setup for your account.
- Login to Help Scout, then navigate to Manage → Company → Authentication.
- Before making any changes on this page, take note of the Post-back URL and the Audience URI at the bottom of the page.
Log in to Onelogin as an administrator, go to
- Type "saml" into the search box of the Find Applications page. From the filtered list pick SAML Test Connector (IdP w/attr).
- Enter "Help Scout" as the Display Name of the new app, keeping it Visible in portal. If you'd to upload a Help Scout logo, click on the Rectangular icon and Square icon and select the images you want to use. You can take these from the "logo" and "icon" folders respectively within our brand assets .zip file. Click the Save button.
Go to the "Configuration" tab and paste the "Post-back URL" from step 3 twice into the "ACS (Consumer) URL" and "Recipient" fields and the "Audience URI" from step 3 into the "Audience" field. Paste the regular expression listed below into the "ACS (Consumer) URL Validator".
- Click Save to store the app settings.
Head over to the "Parameters" tab and select "Add parameter". Type in "email" as the name in the popup and check "Include in SAML assertion". Once saved, the new parameter will have no value, so you'll need to click on "- No default -" in the value column, and within the next popup, select "Email" as the value from the dropdown.
- The app is now created, but none of your users can access it. You can assign them to the app either individually via "Users" menu → "All Users" or, depending on how you manage your user base, as part of roles ("Users" → "Roles") and groups ("Users" → "Groups").
- Navigate back to the "Help Scout" app and select the "SSO" tab. Copy the "SAML 2.0 Endpoint (HTTP)" and click "View details" for the "X.509 Certificate" - this opens a new page where you can click the "Download" button to download the onelogin.pem file. You will need both the "SAML 2.0 Endpoint (HTTP)" and the "X.509 Certificate" in step 15.
- Log out from Onelogin (you will want to test with a non-admin user in a moment).
- Head back to Help Scout Manage → Company → Authentication. You will not be able to click "Enable SAML"
- On the form that you are presented with, use the details from step 10 - paste the URL and upload the certificate.
- Toggle Force SAML Sign-in if you would like your Users to only log in to Help Scout via SSO with Onelogin. Even if this is selected, an Account Owner will always be able to log in to Help Scout with their account password (this is to prevent the Account Owner from getting locked out). Don't forget to click the Save button.
Single Sign-On will now be enabled for your account. Users need to log in via the identify provider prior to logging in to Help Scout.