Pinpoint supports Single Sign On using SAML.
Add the SAML integration in Pinpoint
Log in to Pinpoint as a user who has the Company permission (Edit company-level settings, configure integrations and manage templates) assigned.
If you're not sure how to assign user permissions, please follow the steps in our guide How do I grant Permissions to an individual user?
On the left hand side, in the menu under Settings, click Integrations.
Click on Apps and then search for 'SAML', then click Add.
You will be shown this screen.
Get your Entity ID, Consumer URL, Login URL
At this stage we suggest you open your Identity Provider in another window. You will be copy-pasting some of these details into your identity provider.
Enter the SAML integration settings in your Identity Provider and generate XML metadata
If your identity provider is LastPass
Follow the steps in our guide Using the LastPass SAML integration
If your identity provider is Microsoft Azure Active Directory / Entra ID
Follow the steps in our guide Setting up Azure Active Directory as your IDP
If your identity provider is Okta
Follow the steps in our guide How to enable the Okta integration with Pinpoint
If you have another identity provider not listed above
In your identity provider, please:
Enter the Consumer URL from Pinpoint into the ACS or Consumer URL field in your identity provider
Enter the Entity ID from Pinpoint into the Entity ID field in your identity provider
Make sure that you sign both the SAML Assertion and the SAML Response
Map the
user.last_nameattribute from Pinpoint to a Last Name attribute in your identity provider.Map the
user.first_nameattribute from Pinpoint to a First Name attribute in your identity providerUse this to generate XML Metadata
Enter the Metadata XML into Pinpoint and Enable Integration
Take your Metadata XML from your identity provider, paste it into the Metadata XML field and click Save.
Toggle the switch at the top of the page to 'Enabled' and users will be able to sign in using single sign on.
Configure Single Sign On options within Pinpoint
You have several additional options in Pinpoint that you can choose to enable.
Enforce Login
This will disable other login methods including the ability to login with an email / password combination and force all users to sign into Pinpoint via your identity provider.
Also Enforce for External Recruiters
Will do the same as enforce login, but specifically for external recruiters you add into your Pinpoint account.
This option exists separately because most companies do not invite external recruiters to join their identity provider and issue them with a company email.
Automatically Redirect Login
If this is toggled on when a user attempts to login to your company's Pinpoint (when they go to yoursubdomain.pinpointhq.com/users/sign_in) they will be automatically redirected to your identity provider to login.
This can avoid confusion and unnecessarily forcing users to click a button when they hit the Pinpoint login page.
Configure User Access in your Identity Provider
Follow your own internal policies to configure user access to the Pinpoint application.
Please note that if a user does not yet have an account in Pinpoint, and attempt to login, they will see a notice screen instead. Add this user to Pinpoint manually for single-sign on to work.
Configure User Access in Pinpoint
Follow the steps in our guide How do I manage user access in Pinpoint?
Just-in-Time Provisioning
Please note that our current SAML implementation does not yet support Just in Time account creation ('Provisioning'). This means that a user will only be logged in to Pinpoint if their account has already been created.