Have questions about Single Sign-On? We're here to help! Use this guide to find quick answers to common questions and get the most out of your Spekit experience.
đ Quick-Jump Topics
- SSO & SCIM Overview: How Spekit connects to Identity Providers and provisions users.
- Provisioning & User Management: Managing users, teams, and roles through SSO, JIT, and SCIM.
- SSO Login & Authentication: How SSO logins work and what happens during the transition.
- Workspace & Account Setup: Requirements and tips for creating workspaces and configuring SSO settings.
SSO & SCIM Overview
What IdPs do we support?
Spekit officially supports Okta, OneLogin, Azure AD, PingFederate, PingOne, JumpCloud, and more in beta. Contact support@spekit.co for other IdPs.
Can you connect SSO/SCIM to multiple accounts?
â No. You can only connect to one Spekit production org.
Does Spekit work with Salesforce SSO?
â Yes. You can log in to Spekit via Salesforce even if you use Single Sign-On (SSO) providers such as Okta. One caveat is that you must be logged into Salesforce via your SSO provider before attempting to log in to Spekit. If an account is connected with SSO, Salesforce users will no longer be pulled in from their Salesforce connection. You will be able to connect your SSO with your Salesforce sandbox account for testing.
Once you are logged into Salesforce via SSO, follow these steps to access Spekit:
- Go to the Spekit login page.
- Click Login with Salesforce production (or sandbox if your account is a sandbox account). Your username and password will be pre-saved on the next screen.
- Click on your Salesforce username to log into Spekit.
The only thing to remember is to be logged into Salesforce via SSO before you attempt these steps.
Once an Admin connects their IdP, will provisioning users create duplicate accounts?
â No. During the SSO connection process, a mapping step is completed that should in all cases avoid duplicate accounts from being created, provided users were mapped correctly.
If clients have SSO connected, can they still log in with Salesforce?
Existing Spekit user accounts are grandfathered into their original login method if their account existed before SSO was connected. All new users provisioned through SSO will only be able to log in with their SSO credentials.
Provisioning & User Management
Is the provisioning tab missing from applications in Okta?
Your company must be subscribed to the Okta Lifecycle Management product to see the Provisioning tab in Okta. This product enables your ability to use SCIM.
Why are my users and teams not showing up in Spekit?
Scenario: You have assigned users and/or groups to Spekit through SCIM provisioning but they are not appearing.
Possible resolutions by platform:
-
Spekit
- Check the pending user list. If the user has not logged in yet their account status will show as Pending.
- Navigate to the Connect page in the Web App and perform a manual sync on the SSO connection.
-
Okta
- Enable Push Groups in Okta. Okta Push Groups reference
- After a user or group is created, you must Push Groups to Spekit.
-
Azure
- Azure uses a 40-minute provisioning interval with SCIM. It may take up to 40 minutes for users or groups to appear in Spekit after being provisioned.
When users are provisioned via JIT or SCIM, what teams or roles are they assigned?
All new users are added to the All Spekit Users team with viewer permissions.
Can SSO-enabled Spekit orgs still invite users not in my IdP?
â Yes. Users can still be invited directly via email from the invite page, but this is only recommended if that user will never be provisioned through SSO.
How do I reactivate JIT-provisioned users?
If a user was originally provisioned via Just-in-Time (JIT) provisioning and has been deactivated, you can reactivate them by adding them back to any team.
- Go to Manage Users in Spekit.
- In the status dropdown, change the filter from Accepted to Deactivated.
- Locate the user you want to reactivate.
- Click into their profile and add them to a team.
SSO Login & Authentication
How do logins with SSO work?
There are two ways to log in with SSO:
- IdP-Initiated Login â The user starts from within their IdP and clicks on the Spekit application tile in their app directory. This is the easiest method, especially if your organization already uses an IdP application directory.
- SP-Initiated Login â The user starts from the Spekit login page and enters the email address associated with their Spekit account.
When I complete the transition to SSO, will my team be logged out and need to log in again?
â No. Accounts will not be logged out during the transition to SSO.
What if my connection fails during SSO setup?
An error message will appear prompting you to try again. If you close the page or your computer shuts down, your connection page will remain unchanged and you can resume the connection process from where you left off.
Once logged into Salesforce via SSO, how do I access Spekit?
- Go to the Spekit login page.
- Click Login with Salesforce production (or sandbox if applicable).
- Select your Salesforce username to complete the login.
How do we manage syncing Salesforce and IdP users after SSO is connected?
After SSO is connected, the Salesforce sync will only sync metadata going forward. If you were previously syncing Salesforce user profiles this will be disabled, and all new users should be added through SSO.
Workspace & Account Setup
What are the requirements when creating a unique Workspace name?
Workspace names must be lowercase only, a maximum of 63 characters, and contain no special characters.
OneLogin Tips
When searching for the correct SAML connector in OneLogin, search for: SAML Custom Connector (Advanced).
Also ensure you enter the correct Login URL: https://app.spekit.co/app/generate