Ready to set up Single Sign-On in Spekit? This guide covers Just-in-Time provisioning, supported IdP compatibility, and how to access and complete the SSO/SCIM configuration in your Spekit account.
âšī¸ Prerequisite: You must have Spekit Account Admin permissions and have SSO/SCIM enabled in your Spekit instance before proceeding. Contact your Customer Success Manager or support@spekit.co to have this enabled.
đ Quick-Jump Topics
- Just-in-Time (JIT) Provisioning: How JIT works and what to know before getting started
- SSO IdP Compatibility List: Supported Identity Providers and their SAML/SCIM capabilities
- How to See the SSO/SCIM Configuration Option: Getting the option enabled in Spekit
- How to Access SSO/SCIM Documentation in Spekit: Step-by-step setup walkthrough
- How Spekit Works with Single Sign-On: Understanding the SSO experience in Spekit
Just-in-Time (JIT) Provisioning
What do I need to know about JIT provisioning in Spekit?
Spekit supports Just-in-Time (JIT) provisioning. Here are the key things to understand before getting started:
- When the SSO configuration for Spekit is started using JIT, only the SAML portion is complete, SCIM is not required.
-
With JIT configured, user accounts are created automatically on first login,
but user management in Spekit is handled manually by Spekit
Account Admins.
âšī¸ Example: If someone leaves your company, their Spekit account must be manually disabled - JIT cannot automatically remove users.
- Accounts are created upon a user's first login.
âšī¸ Example: When a user is assigned the Spekit app in Okta and clicks the Spekit tile for the first time, their Spekit account is created automatically at that moment.
- Teams (referred to as Groups in some IdPs) must be created and managed by users with the Spekit Account Admin role.
- Accounts provisioned with JIT are added to the default All Spekit Users team with Viewer permissions. Spekit Account Admins manage access to any additional custom teams manually.
- There are multiple ways for users to sign into the Spekit Chrome Extension - the SSO IdP administrator can decide how to direct users.
- Users do not need to constantly re-authenticate to the Chrome Extension once they've logged in.
- The IdP administrator must assign the Spekit tile in their IdP (e.g. Okta) to any users who need access to Spekit.
SSO Identity Provider (IdP) Compatibility List
Which Identity Providers does Spekit support?
| SSO Provider | SAML 2.0 Supported | SCIM Supported |
|---|---|---|
| Okta | âī¸ | âī¸ |
| Entra ID (Azure) | âī¸ | âī¸ |
| Google Workspace | âī¸ | â |
| JumpCloud | âī¸ | âī¸ |
| OneLogin | âī¸ | âī¸ |
| PingFederate | âī¸ | âī¸ |
| PingOne | âī¸ | âī¸ |
â ī¸ Note: If your IdP is not listed above, Spekit cannot guarantee full functionality. Please contact your Customer Success Manager or support@spekit.co for more information.
How to See the SSO/SCIM Configuration Option in Spekit
How do I get access to the SSO/SCIM setup option?
The SSO/SCIM option must be enabled by the Spekit team before it will appear in your account. To request this, contact your Customer Success Manager or email support@spekit.co.
Once enabled, the Connect with SSO/SCIM button will appear on the Connect page in your Spekit Web App under Settings â Connect.
How to Access SSO/SCIM Documentation and Start Setup in Spekit
How do I start the SSO/SCIM configuration process in Spekit?
Once SSO/SCIM is enabled in your Spekit instance, follow these steps:
- Go to the Spekit Web App and click Settings.
- Click Connect.
- Click Connect with SSO/SCIM.
- Click Download to download the user mapping Excel sheet.
-
Review the Excel sheet - do not rename the file. Follow these
rules when editing:
- Do not modify anything in columns A or B.
- Only make necessary edits to column C, which contains the email address from your company's IdP.
- Click Choose File, select your updated Excel file, then click Upload.
âšī¸ What's next? After completing the steps above, you will be prompted to configure your Workspace name. Once that's done, Spekit will guide you through step-by-step walkthroughs to set up SAML and SCIM for your selected IdP. It's important to follow the walkthrough closely, as it includes unique URLs and organization-specific details required for the setup.
How Spekit Works with Single Sign-On
What should I understand about the SSO experience in Spekit?
Once SSO is configured, users can log in to Spekit using either of the following methods:
- IdP-Initiated Login: Users click the Spekit tile directly from within their IdP's application directory (e.g. Okta, Azure). This is the most common and seamless method.
- SP-Initiated Login: Users go to the Spekit login page and enter their email address to be redirected to their IdP for authentication.