Skip to main content
All CollectionsSecurity & PrivacySecurity
Integrate with an identity provider and log in with SAML SSO
Integrate with an identity provider and log in with SAML SSO

Log in to Intercom with SAML SSO using Okta, OneLogin or another identity provider.

Beth-Ann Sher avatar
Written by Beth-Ann Sher
Updated over 2 months ago

Integrating Intercom with your identity provider makes logging in simple and secure for your team.

Follow the steps in this article to configure your identity provider, to require SAML SSO (Single Sign On) from all your teammates, or offer it as one of your sign in options. Once configured, SAML SSO will also work with the Intercom Conversations app.

Check our plans and pricing to see if this is on your subscription.


Configuring your identity provider

To enable SAML SSO, go to Settings > Workspace > Security and click Require SAML SSO under “Authentication methods”:

The first thing you’ll see is the unique SAML URL for your workspace:

You’ll need to include this to configure SAML SSO with your identity provider. If you set up SAML with Intercom Okta App or OneLogin, you need only <SAML URL>.

  • Single Sign-On URL
    <SAML URL>/consume

  • Recipient URL
    <SAML URL>/consume

  • Audience restriction/Entity ID
    <SAML URL>

  • NameID

  • Email address

  • Signed Assertions

  • Yes

  • Mapped Attributes

  • firstName (User's first name)

  • lastName (User's last name)

  • Encryption

  • AES256_CBC with this certificate:

-----BEGIN CERTIFICATE-----
MIIDKTCCAhGgAwIBAgIESfKRDDANBgkqhkiG9w0BAQsFADBFMREwDwYDVQQKEwhJbnRlcmNvbTEV
MBMGA1UECxMMRGV2IFBsYXRmb3JtMRkwFwYDVQQDExBTQU1MIENlcnRpZmljYXRlMB4XDTE2MTIx
NDE2MjYyN1oXDTI2MTIxMjE2MjYyN1owRTERMA8GA1UEChMISW50ZXJjb20xFTATBgNVBAsTDERl
diBQbGF0Zm9ybTEZMBcGA1UEAxMQU0FNTCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMYDcgFR7BMrGPMNTVERsAXOZoaz+ObJaKAtSWbq6J7upmEvr7wm7KmIOGiT
dqsA5vhJUBRC4pPxTpB6l34LYQ2CcfGYP0TQtrpBuHtkSVPe5Tu1q4ri4YpiWLzkO6TdFDvIKiD1
41gYjPkypTYGHQ0YRoHJVLibk55nJcjX1GjwXpDLYOa9r4LrGzOHV1o7p/C1GoPu8/5GzgtP0faO
4iDgcz0681WQvN4sg4kL24geouBrIfl5Xa0WmFAmQDtaYZ22V2hPgmivcw4l0mnHuHRKiYdKuIBr
kj9miEL1YMexMgUoAm7TbMIqPu1s3k9HcJ75Ksk1LUnxKRYdTlZRPd0CAwEAAaMhMB8wHQYDVR0O
BBYEFNX3lHt+SDJSghNBEmdyvxwZ9A8JMA0GCSqGSIb3DQEBCwUAA4IBAQBE8HPVU1fM2KJ4+WSL
Tz1AO3R/HMfI9Vjf8g5TvRWixhRwFG6hWxnMfqn6+/O3KZTyOszhcMn1i+yIk6kfG//C8jVN0BdR
f45VY0zFYn6veUe5l0Mwrc98SVTS2bIYNjkC1uPfRURNY+TlLqfzAcJYKIPlrpV8sDWGk22ouQeS
pBDiC4bFt5rpxbDOHZ8yiEWFWXSplA/7lAK6WfGll9JYZIXIUG9IkrqqAU8Rdl4ap7R+5hnpHm7h
XxGKbY9QL+sr4SbGOUVBuO9ilLNis1mRAfJ8YEu8Aw4rRMBMTTVzdkBk0keMMJNdjvWDNmwOwECF
qpawtT0JQBFUdm+03Ow+
-----END CERTIFICATE-----

To integrate, you’ll also need to add the following information in Intercom from your identity provider: 

  • Identity provider Single Sign-On URL — This is the URL used to start the login process.

  • Public certificate — This allows Intercom to validate SAML requests from your identity provider. It must be an X.509 certificate.

If your identity provider supports it, you can also define a session duration in your identity provider's configuration, which sets the length of time before a teammate's session expires and they must log in to Intercom again. If this is not set, the default duration is 3.5 days.

Next, specify the domains which are allowed to authenticate with SAML SSO. Enter a domain under “Allowed domains”, and click “Add domain”:

To ensure that all of your team are able to log in successfully with SAML SSO before disabling other login methods, you should leave this option checked, and select your preferred login method by clicking the link on the right:

To uncheck this option and enforce SAML SSO as the required login method, you must be logged in with SAML SSO. You can do this after saving your settings.

Then, you must verify that you own the domain by adding a TXT record in your DNS settings with the values shown here:

If you do not have access to your DNS provider, you may need help from someone on your team.

After adding the TXT record in your DNS settings, click “Verify DNS record”:

If you have just created the DNS record it may still be propagating, in this case you’ll see the following warning message: “Unable to verify DNS record. Please try again later.”

Once the DNS record is verified, you’ll see a success message and the domain will appear here:

If you need to add more than one domain, repeat this process for the others. 👌

Sign in with SAML SSO

Once SAML SSO is enabled, teammates have the ability to login using it.

Email not registered for a SAML account

If the email entered on the SAML login page does not match any teammates that belong to a workspace with SAML SSO enabled, then the teammate sees an error message.

Email registered for one SAML account

If the email matches a workspace with SAML SSO, then the user is directly redirected to the identity providers he/she uses, and asked to log in.

Email registered for multiple SAML account

If the email matches multiple workspace with SAML SSO, then we show them the workspace selector where they can select the workspace they want to login in to.

Depending on the identity provider the teammate has for each workspace, the teammate is redirected to the right identity provider's login experience. After performing the log in, the user is brought back to the correct workspace and logged in.

SAML Support when switching accounts

SAML SSO is supported when changing in between workspaces:

When the teammate wants to switch to a workspace where they are logged in, the switch happens without friction. If not, the teammate is redirected to the workspace selector and is asked to log in once.

Scenario:

  • When a teammate is logged into two workspaces using similar SAML SSO providers, then no need to re-auth to switch between workspaces.

  • If the teammate has access to a third workspace with password as the auth method, and the teammate hasn’t logged in, then we redirect them to the workspace switcher to log in once with password.

Sign in to Intercom Conversations app with SAML SSO

Once SAML SSO is configured, navigate to the log in screen of your iOS or Android Intercom Conversations app.

Click the Sign in with SAML SSO button at the bottom of the login page.

Enter the work email you use to sign into Intercom and click Continue to show a list of workspaces you can sign into (as pictured below).

If you only have access to one workspace, this screen will be skipped and the single workspaces will be autoselected to sign into.

Selecting a workspace will present a web view where you will need to login to your SAML provider.

Once sign in with the SAML provider has been completed successfully, you will be logged into the app.

If you don’t have SAML SSO set up for your account and try to log in with SAML SSO, you'll see an error message.

Google Workspace SSO troubleshooting

If you are using Google Workspace as your SSO provider and you see an error message stating that you don’t have access (similar to the image below), you can turn on remediation messages in order to further understand the reason for the error.

Once enabled, you'll be able to see more detailed information in the error message.

For example, the following error could indicate that the device which is being used is not managed by Google endpoint management:

Workspace invites

SAML SSO is also compatible with workspace invites. When redeeming the invite, it fails if the invite email doesn't match email returned by identity providers. Otherwise the invite can be redeemed.

Choose to enable Just-in-Time (JIT) provisioning

Just-in-Time provisioning will automatically add teammates to your Intercom workspace the first time they sign in with SAML SSO, if they don’t already have an Intercom account.

To enable this, go to Settings > Workspace > Security and click on Provisioning under "Authentication methods":

Then, define which permissions new teammates should have when added by JIT provisioning:

New teammates will only be added if you have available seats.

Finally, scroll down and save your settings, and test your configuration by authenticating with your identity provider:

Once your workspace has SAML SSO enabled with any provider, teammates will be unable to edit their own email address from their My Account page. The email field will be read-only.


Configuring SAML with OneLogin

It’s easy to configure SAML SSO with OneLogin. Just use the Intercom app in the OneLogin store.

Go to “Applications” in your admin page and click “Add App”: 

Then, search for the “Intercom SAML 2.0” app, and add it: 

After adding the Intercom app, open the Configuration tab, and enter the SAML name for your workspace:

On the SSO tab, copy the "SAML 2.0 Endpoint" URL and paste it in your workspace's SAML settings:

Finally, click “View Details” under the certificate and copy this to Intercom too: 

Now you can authenticate with OneLogin and save your settings in Intercom, and you’re ready to go. 👌


Configuring SAML SSO with Okta

Easily set up SAML SSO with the Intercom app in the Okta app store.

Go to “Add Application” in your admin page and search for Intercom. Click “Add”:


Proceed to step 2, and view the setup instructions:


These instructions are tailored to your Okta account and contain the following:

  • Identity provider issuer URL.

  • Public certificate.

You must copy and paste these values into your workspace's SAML settings.

After adding the URL and certificate, return to Okta and enter your workspace’s SAML name under “Advanced sign-on settings”:


Next, save the Encryption Certificate provided by Okta as intercom.pem and upload it here:

Now you can save your settings in Okta and then confirm the authentication in Intercom, and you’re all set. 👌


💡Tip

Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts


Did this answer your question?