Integrating Intercom with your identity provider makes logging in simple and secure for your team.

Follow the steps in this article to configure your identity provider, to require SAML SSO (Single Sign On) from all your teammates, or offer it as one of your sign in options.


Configuring your identity provider

To enable SAML SSO, go to Settings > Security and click “Require SAML SSO”, under “Authentication methods”:

Note: You must have permission to access general and security settings to enable this.

The first thing you’ll see is the unique SAML URL for your workspace:

You’ll need to include this to configure SAML SSO with your identity provider. If you set up SAML with Intercom Okta App or OneLogin, you need only <SAML URL>.

  • Single Sign-On URL
    <SAML URL>/consume

  • Recipient URL
    <SAML URL>/consume

  • Audience restriction/Entity ID
    <SAML URL>

  • NameID

  • Email address

  • Signed Assertions

  • Yes

  • Mapped Attributes

  • firstName (User's first name)

  • lastName (User's last name)

  • Encryption

  • AES256_CBC with this certificate:


To integrate, you’ll also need to add the following information in Intercom from your identity provider: 

  • Identity provider Single Sign-On URL — This is the URL used to start the login process.

  • Public certificate — This allows Intercom to validate SAML requests from your identity provider. It must be an X.509 certificate.

Tip: If your identity provider supports it, you can also define a session duration in your identity provider's configuration, which sets the length of time before a teammate's session expires and they must log in to Intercom again. If this is not set, the default duration is 3.5 days.

Next, specify the domains which are allowed to authenticate with SAML SSO. Enter a domain under “Allowed domains”, and click “Add domain”:

To ensure that all of your team are able to log in successfully with SAML SSO before disabling other login methods, you should leave this option checked, and select your preferred login method by clicking the link on the right:

Important: To uncheck this option and enforce SAML SSO as the required login method, you must be logged in with SAML SSO. You can do this after saving your settings.

Then, you must verify that you own the domain by adding a TXT record in your DNS settings with the values shown here:

Note: If you do not have access to your DNS provider, you may need help from someone on your team.

After adding the TXT record in your DNS settings, click “Verify DNS record”:

Tip: If you have just created the DNS record it may still be propagating, in this case you’ll see the following warning message: “Unable to verify DNS record. Please try again later.”

Once the DNS record is verified, you’ll see a success message and the domain will appear here:

If you need to add more than one domain, repeat this process for the others. 👌

Choose to enable Just-in-Time (JIT) provisioning

Just-in-Time provisioning will automatically add teammates to your Intercom workspace the first time they sign in with SAML SSO, if they don’t already have an Intercom account.

To enable this, go to Settings > Security and click on Provisioning under "Authentication methods":

Then, define which permissions new teammates should have when added by JIT provisioning:

Important: New teammates will only be added if you have available Inbox seats.

Finally, scroll down and save your settings, and test your configuration by authenticating with your identity provider:

Once your workspace has SAML SSO enabled with any provider, teammates will be unable to edit their own email address from their My Account page. The email field will be read-only.

Configuring SAML with OneLogin

It’s easy to configure SAML SSO with OneLogin. Just use the Intercom app in the OneLogin store.

Go to “Applications” in your admin page and click “Add App”: 

Then, search for the “Intercom SAML 2.0” app, and add it: 

After adding the Intercom app, open the Configuration tab, and enter the SAML name for your workspace:

On the SSO tab, copy the "SAML 2.0 Endpoint" URL and paste it in your workspace's SAML settings:

Finally, click “View Details” under the certificate and copy this to Intercom too: 

Now you can authenticate with OneLogin and save your settings in Intercom, and you’re ready to go. 👌

Configuring SAML SSO with Okta

Easily set up SAML SSO with the Intercom app in the Okta app store.

Go to “Add Application” in your admin page and search for Intercom. Click “Add”:

Proceed to step 2, and view the setup instructions:

These instructions are tailored to your Okta account and contain the following:

  • Identity provider issuer URL.

  • Public certificate.

You must copy and paste these values into your workspace's SAML settings.

After adding the URL and certificate, return to Okta and enter your workspace’s SAML name under “Advanced sign-on settings”:

Note: See above for instructions on how to find your SAML name.

Next, save the Encryption Certificate provided by Okta as intercom.pem and upload it here:

Now you can save your settings in Okta and then confirm the authentication in Intercom, and you’re all set. 👌

What’s next?

💡 Tip

Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts

Did this answer your question?