Integrating Intercom with your identity provider makes logging in simple and secure for your team.
Follow the steps in this article to configure your identity provider, to require SAML SSO (Single Sign On) from all your teammates, or offer it as one of your sign in options.
- SAML SSO is only available with certain Intercom plans. See our plans and pricing here.
- It’s not possible to log in to the Intercom conversations mobile app with SAML SSO.
Configuring your identity provider
To enable SAML SSO, go to Settings > Security and click “Require SAML SSO”, under “Authentication methods”:
Note: You must have permission to access general and security settings to enable this.
The first thing you’ll see is the unique SAML name for your workspace:
You’ll need to include this in place of <SAML Name> with the following information to configure SAML SSO with your identity provider.
- Single Sign-On URL
- https://app.intercom.com/saml/<SAML Name>/consume
- Recipient URL
- https://app.intercom.com/saml/<SAML Name>/consume
- Audience restriction/Entity ID
- https://app.intercom.com/saml/<SAML Name>
- Email address
- Signed Assertions
- Mapped Attributes
- firstName (User's first name)
- lastName (User's last name)
- AES256_CBC with this certificate:
Important: This is not required if integrating with OneLogin or Okta, as the apps include these details automatically.
To integrate, you’ll also need to add the following information in Intercom from your identity provider:
- Identity provider Single Sign-On URL — This is the URL used to start the login process.
- Public certificate — This allows Intercom to validate SAML requests from your identity provider. It must be an X.509 certificate.
Tip: If your identity provider supports it, you can also define a session duration in your identity provider's configuration, which sets the length of time before a teammate's session expires and they must log in to Intercom again. If this is not set, the default duration is 3.5 days.
Next, specify the domains which are allowed to authenticate with SAML SSO. Enter a domain under “Allowed domains”, and click “Add domain”:
Then, you must verify that you own the domain by adding a TXT record in your DNS settings with the values shown here:
Note: If you do not have access to your DNS provider, you may need help from someone on your team.
After adding the TXT record in your DNS settings, click “Verify DNS record”:
Tip: If you have just created the DNS record it may still be propagating, in this case you’ll see the following warning message: “Unable to verify DNS record. Please try again later.”
Once the DNS record is verified, you’ll see a success message and the domain will appear here:
If you need to add more than one domain, repeat this process for the others. 👌
Choose to enable Just-in-Time (JIT) provisioning
Just-in-Time provisioning will automatically add teammates to your Intercom workspace the first time they sign in with SAML SSO, if they don’t already have an Intercom account.
To enable this, check the box here:
Then, define which permissions new teammates should have when added by JIT provisioning:
Important: New teammates will only be added if you have available Inbox seats.
Allow other login methods as you transition to SAML SSO
To ensure that all of your team are able to log in successfully with SAML SSO before disabling other login methods, you should leave this option checked, and select your preferred login method by clicking the link on the right:
Important: To uncheck this option and enforce SAML SSO as the required login method, you must be logged in with SAML SSO. You can do this after saving your settings. 👇
Finally, save your settings, and test your configuration by authenticating with your identity provider:
Configuring SAML with OneLogin
It’s easy to configure SAML SSO with OneLogin. Just use the Intercom app in the OneLogin store.
Go to “Applications” in your admin page and click “Add App”:
Then, search for the “Intercom SAML 2.0” app, and add it:
After adding the Intercom app, open the Configuration tab, and enter the SAML name for your workspace:
On the SSO tab, copy the "SAML 2.0 Endpoint" URL and paste it in your workspace's SAML settings:
Finally, click “View Details” under the certificate and copy this to Intercom too:
Now you can authenticate with OneLogin and save your settings in Intercom, and you’re ready to go. 👌
Configuring SAML SSO with Okta
Easily set up SAML SSO with the Intercom app in the Okta app store.
Go to “Add Application” in your admin page and search for Intercom. Click “Add”:
Proceed to step 2, and view the setup instructions:
These instructions are tailored to your Okta account and contain the following:
- Identity provider issuer URL.
- Public certificate.
You must copy and paste these values into your workspace's SAML settings.
After adding the URL and certificate, return to Okta and enter your workspace’s SAML name under “Advanced sign-on settings”:
Note: See above for instructions on how to find your SAML name.
Next, save the Encryption Certificate provided by Okta as
intercom.pem and upload it here:
Now you can save your settings in Okta and then confirm the authentication in Intercom, and you’re all set. 👌