Learn how to set up Single Sign-On (SSO). Make sure you have the SSO/SCIM enabled. You must have Spekit Account Admin permissions to set up SSO.
Just In Time (JIT) Provisioning
Spekit supports Just In Time or JIT provisioning, so here are some items to know:
1.) When the SSO configuration for Spekit is started, only the SAML portion is completed, and SCIM is not needed.
2.) When JIT is configured, the account is created, and the user management in Spekit is done manually by the users in Spekit who have the Spekit Account Admin role.
- Example: If someone leaves their company, their account must be manually disabled in Spekit because JIT cannot automatically remove them.
3.) With JIT, accounts are created upon a user's first login.
- Example: When a user gets assigned the Spekit app in Okta when they click the Spekit tile in Okta, if this is their first time getting logged in, their Spekit account will be created.
4.) Groups or Teams, as referred to in the Spekit WebApp, are to be created and managed by the people in your organization who have the Spekit role of Spekit Account Admin.
5.) Accounts provisioned with JIT will be added to the default Spekit Team of All Spekit Users as a Viewer role by default. Spekit Account Admins manually manage additional custom-created Team access.
6.) There are multiple ways to get signed into the Spekit Chrome extension, so the SSO IDP administrator can decide how they want to direct users.
7.) Users do not need to constantly re-authenticate to the extension once they've logged in.
8.) The IDP admin will need to assign the Spekit tile in Okta to any users who need access to Spekit.
Single Sign-On (SSO) Identity Provider (IdP) Compatibility List
SSO Provider |
SAML 2.0 Supported |
SCIM Supported |
Okta |
✔️ |
✔️ |
Entra ID (Azure) |
✔️ |
✔️ |
Google Workspace |
✔️ |
X |
JumpCloud |
✔️ |
✔️ |
OneLogin |
✔️ |
✔️ |
PingFederate |
✔️ |
✔️ |
PingOne |
✔️ |
✔️ |
If your IdP is not listed above Spekit cannot guarantee functionality with our platform. Please contact your CSM or support@spekit.co for more information.
How do I see the option to configure SSO/SCIM in Spekit?
The option to enable SSO/SCIM can be enabled by our Spekit team. Please submit a request to your Customer Success Manager or send a note support@spekit.co
Once enabled, the Spekit Web App will show the highlighted area below:
How do I access SSO/SCIM documentation in Spekit?
The option for SSO/SCIM configuration must first be enabled in the Spekit instance.
Once enabled in the Spekit Web App:
1.) Click Settings.
2.) Click Connect.
3.) Click Connect with SSO/SCIM.
4.) Click Download.
5.) Review the Excel sheet and do not rename the file.
- Be sure not to modify anything in columns A & B.
- Only make the necessary edits to column C, which relates to the email in the company IDP.
6.) Click Choose File and Click Upload.
Once the above steps have been completed, you can access the WorkOS documentation for the SSO/SCIM you want to configure to work with Spekit.
The step-by-step walkthrough will need to be followed during the configuration of SSO/SCIM because it contains URLs etc., that will be needed and are unique to your organization.
Does Spekit work with Salesforce SSO (Single Sign-On)?
Yes, you can log in to Spekit via Salesforce even if you use Single Sign-On (SSO) providers such as Okta. One caveat is that you must be logged into Salesforce via your SSO provider BEFORE attempting to log in to Spekit. If an account is connected with SSO, Salesforce users will no longer be pulled in from their Salesforce connection. You will be able to connect your SSO with your Salesforce sandbox account for testing.
Once you are logged into Salesforce via SSO (as you usually do):
1.) Go to Spekit login.
2.) Click on Login with Salesforce production (or sandbox if your account is a sandbox account). You'll see your username and password pre-saved on the next screen.
3.) Click on your Salesforce username, and you'll be logged into Spekit via Salesforce.
The only thing to remember is to be logged into Salesforce via SSO before you attempt the steps above.
OneLogin Tips
When searching for the correct SAML to choose to configure, be sure to search for: SAML Custom Connector (Advanced).
Be sure to enter the correct Login URL, which is https://app.spekit.co/app/generate