Single Sign-On FAQs

What IdPs do we support?

Spekit officially supports Okta, OneLogin, Azure AD, PingFederate, PingOne, JumpCloud, and more in beta. Contact support@spekit.co for other IdPs.

Can you connect SSO/SCIM to multiple accounts?

❌ No. You can only connect to one Spekit production org.

Does Spekit work with Salesforce SSO?

✅ Yes.You can log in to Spekit via Salesforce even if you use Single Sign-On (SSO) providers such as Okta. One caveat is that you must be logged into Salesforce via your SSO provider BEFORE attempting to log in to Spekit. If an account is connected with SSO, Salesforce users will no longer be pulled in from their Salesforce connection. You will be able to connect your SSO with your Salesforce sandbox account for testing. 

Once you are logged into Salesforce via SSO (as you usually do):

1.) Go to Spekit login.

2.) Click on Login with Salesforce production (or sandbox if your account is a sandbox account). You'll see your username and password pre-saved on the next screen.

3.) Click on your Salesforce username, and you'll be logged into Spekit via Salesforce.

The only thing to remember is to be logged into Salesforce via SSO before you attempt the steps.

Once an Admin connects their IdP, will provisioning users create duplicate accounts?

❌ No. During the SSO connection process, a mapping step will be completed that should in all cases avoid duplicate accounts from being created if users were mapped correctly. 

If clients have SSO connected, can they still log in with Salesforce?

Existing Spekit user accounts are grandfathered into their original login method if their account existed before SSO was connected. All new users provisioned through SSO will only be able to log in with their SSO credentials. 

Is the provisioning tab missing from applications in Okta?

Your company must be subscribed to the Okta Lifecycle Management product to be able to see the Provisioning tab in Okta. This Okta product enables your ability to use SCIM.

Source: https://support.okta.com/help/s/question/0D51Y00008j5QB2/provisioning-tab-missing-from-applications?language=en_US

Why are my users and teams not showing up in Spekit?

Scenario: You have assigned users and/or groups to Spekit through SCIM provisioning but they are not appearing.

Possible Resolutions:

• Spekit
  • Check the pending user list. If the user has not logged in yet to activate their account fully they will have an account status of 'Pending'. 
  • Navigate to the Connect page on the Web App and perform a manual sync on the SSO connection
• Okta
  • Enable Push Groups and Push Groups
  • https://help.okta.com/en/prod/Content/Topics/users-groups-profiles/usgp-about-group-push.htm
  • After a user or group is created, you must Push Groups to Spekit
• Azure
  • Azure uses a 40-minute provisioning interval with SCIM. It could take up to 40 minutes for users or groups provisioned via SCIM to appear in Spekit due to this. 

When users are provisioned via JIT or SCIM, what teams or roles are they assigned?

All new users go to the “All Spekit Users” team with viewer permissions.

Can SSO-enabled Spekit orgs still invite users not in my IdP?

✅ Yes. Users can still be invited directly via email into your Spekit org from the invite page but this is only recommended if that user will never be provisioned through SSO. 

How do I reactivate JIT-provisioned users?

If a user was originally provisioned via Just-in-Time (JIT) provisioning and has been deactivated, you can reactivate them by adding them back to any team.

Note: The user you are reactivating must still be assigned to Spekit in your IdP to log back in.

Steps: 

1. Go to Manage Users in Spekit

2. In the status dropdown, change the filter from Accepted to Deactivated

3. Locate the user you want to reactivate

4. Click into their profile and add them to a team

How do logins with SSO work?

There are two ways to log in with SSO:

• IdP-Initiated logins where the user will start from within your IdP and click on the Spekit application tile assigned to them in their app directory. This is by far the easiest method especially if you're already leveraging your IdPs application directory. 
• SP-Initiated logins where the user will start from the Spekit login page (https://app.spekit.co/login) and enter the email associated with their Spekit account. 

When I complete the transition to SSO, will my team be logged out and need to log in again (Web App and/or Chrome Extension)?

❌ No. Accounts will not be logged out during this transition. 

What if my connection fails during SSO setup?

There will be an error message pop-up that will prompt them to try again. If they close the page or their computer shuts down, their connection page will remain unchanged, and they must restart/resume the connection process from where they left off.

Once logged into Salesforce via SSO, how do I access Spekit?

Go to Spekit login → click Login with Salesforce production or sandbox → select username → logged in

How do we manage syncing Salesforce and IdP users for new customers?

After SSO is connected the Salesforce sync will only sync metadata moving forward. If you were previously syncing Salesforce user profiles this will be disabled and all new users should be added through SSO. 

What are the requirements when creating a unique Workspace name?

Lowercase only, max 63 characters, no special characters.

OneLogin Tips:

When searching for the correct SAML to choose to configure, be sure to search for: SAML Custom Connector (Advanced).

Be sure to enter the correct Login URL, which is https://app.spekit.co/app/generate