Single Sign-On FAQs

Do you still have questions about Single Sign-On? We're here to help! 

 

In this section, we will answer these questions:

• Is the provisioning tab missing from applications in Okta?
• Why are my users and teams not showing up in Spekit?
• Can you connect SSO/SCIM to multiple accounts?
• What IDPs do we support?
• When I complete the transition to SSO, will my team be logged out and need to log in again (Web App and/or Chrome Extension)?
• When users are provisioned into Spekit through JIT or SCIM, what teams or roles will these users be assigned to in Spekit?
• What if my connection fails during the SSO connection process?
• How do logins with SSO work?
• Can SSO-enabled Spekit orgs still invite users who may not have account in my IdP?
• Once an Admin connects their IdP, will provisioning users create duplicate accounts?
• How do we manage syncing Salesforce and IdP users for new customers?
• If clients have SSO connected, can they no longer log in with Salesforce?
• What are the requirements when creating a unique Workspace name?

 

---

 

Is the provisioning tab missing from applications in Okta?

Your company must be subscribed to the Okta Lifecycle Management product to be able to see the Provisioning tab in Okta. This Okta product enables your ability to use SCIM.

Source: https://support.okta.com/help/s/question/0D51Y00008j5QB2/provisioning-tab-missing-from-applications?language=en_US

 

Why are my users and teams not showing up in Spekit?

Scenario: You have assigned users and/or groups to Spekit through SCIM provisioning but they are not appearing.

 

Possible Resolutions:

• Spekit
  • Check the pending user list. If the user has not logged in yet to activate their account fully they will have an account status of 'Pending'. 
  • Navigate to the Connect page on the Web App and perform a manual sync on the SSO connection
• Okta
  • Enable Push Groups and Push Groups
  • https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-about-group-push.htm
  • After a user or group is created, you must Push Groups to Spekit
• Azure
  • Azure uses a 40-minute provisioning interval with SCIM. It could take up to 40 minutes for users or groups provisioned via SCIM to appear in Spekit due to this. 

 

Can you connect SSO/SCIM to multiple accounts?

No, you can only connect to one Spekit production org.

 

What IdPs do we support?

We officially support Okta, OneLogin, Azure AD, PingFederate, PingOne, JumpCloud and we have more in beta. If your IdP is not listed here please reach out to Spekit Support (support@spekit.co) to see if Spekit will work with your specific IdP. 

 

When I complete the transition to SSO, will my team be logged out and need to log in again (Web App and/or Chrome Extension)?

No, accounts will not be logged out during this transition. 

 

When users are provisioned into Spekit through JIT or SCIM, what teams or roles will these users be assigned to in Spekit?

Currently, all new users will only be assigned to the 'All Spekit Users' team with viewer permissions. 

 

What if my connection fails during the SSO connection process?

There will be an error message pop-up that will prompt them to try again. If they close the page or their computer shuts down, their connection page will remain unchanged, and they must restart/resume the connection process from where they left off.

 

How do logins with SSO work?

There are two ways to log in with SSO:

• IdP-Initiated logins where the user will start from within your IdP and click on the Spekit application tile assigned to them in their app directory. This is by far the easiest method especially if you're already leveraging your IdPs application directory. 
• SP-Initiated logins where the user will start from the Spekit login page (https://app.spekit.co/login) and enter the email associated with their Spekit account. 

 

Can SSO-enabled Spekit orgs still invite users who may not have account in my IdP?

Yes, users can still be invited directly via email into your Spekit org from the invite page but this is only recommended if that user will never be provisioned through SSO. 

 

Once an Admin connects their IdP, will provisioning users create duplicate accounts?

No, during the SSO connection process, a mapping step will be completed that should in all cases avoid duplicate accounts from being created if users were mapped correctly. 

 

How do we manage syncing Salesforce and IdP users for new customers?

After SSO is connected the Salesforce sync will only sync metadata moving forward. If you were previously syncing Salesforce user profiles this will be disabled and all new users should be added through SSO. 

 

If clients have SSO connected, can they no longer log in with Salesforce?

Existing Spekit user accounts are grandfathered into their original login method if their account existed before SSO was connected. All new users provisioned through SSO will only be able to log in with their SSO credentials. 

 

What are the requirements when creating a unique Workspace name?

Lowercase only and no more than 63 characters. No special characters are allowed.

 

---

Can’t find the information you’re looking for? Check out these topics:

• Single Sign-On In A Nutshell
• SSO/SCIM terminology
• Initial Spekit SSO/SCIM configuration
• How to connect Okta SSO (SAML) to Spekit
• How to connect Okta (SCIM 2.0) to Spekit
• How to create a group in Okta and add people to it
• Will my users sync to Spekit from my IDP?
• Okta User Management FAQs
• Okta Teams FAQs