Skip to main content
All CollectionsIntegrationsSSO
Setting up Single Sign On using SAML
Setting up Single Sign On using SAML

Allow your team to log in to Pinpoint using your existing Identity Provider's accounts

Dom Hughes avatar
Written by Dom Hughes
Updated over a week ago

Pinpoint supports Single Sign On using SAML.

Add the SAML integration in Pinpoint

Log in to Pinpoint as a user who has the Company permission (Edit company-level settings, configure integrations and manage templates) assigned.

If you're not sure how to assign user permissions, please follow the steps in our guide How do I grant Permissions to an individual user?

On the left hand side, in the menu under Settings, click Integrations.

Click on Apps and then search for 'SAML', then click Add.

You will be shown this screen.

Get your Entity ID, Consumer URL, Login URL

At this stage we suggest you open your Identity Provider in another window. You will be copy-pasting some of these details into your identity provider.

Enter the SAML integration settings in your Identity Provider and generate XML metadata

If your identity provider is LastPass

Follow the steps in our guide Using the LastPass SAML integration

If your identity provider is Microsoft Azure Active Directory / Entra ID

Follow the steps in our guide Setting up Azure Active Directory as your IDP

If your identity provider is Okta

If you have another identity provider not listed above

In your identity provider, please:

  1. Enter the Consumer URL from Pinpoint into the ACS or Consumer URL field in your identity provider

  2. Enter the Entity ID from Pinpoint into the Entity ID field in your identity provider

  3. Make sure that you sign both the SAML Assertion and the SAML Response

  4. Map the user.last_name attribute from Pinpoint to a Last Name attribute in your identity provider.

  5. Map the user.first_name attribute from Pinpoint to a First Name attribute in your identity provider

  6. Use this to generate XML Metadata

Enter the Metadata XML into Pinpoint and Enable Integration

Take your Metadata XML from your identity provider, paste it into the Metadata XML field and click Save.

Toggle the switch at the top of the page to 'Enabled' and users will be able to sign in using single sign on.

Configure Single Sign On options within Pinpoint

You have several additional options in Pinpoint that you can choose to enable.

Enforce Login

This will disable other login methods including the ability to login with an email / password combination and force all users to sign into Pinpoint via your identity provider.

Also Enforce for External Recruiters

Will do the same as enforce login, but specifically for external recruiters you add into your Pinpoint account.

This option exists separately because most companies do not invite external recruiters to join their identity provider and issue them with a company email.

Automatically Redirect Login

If this is toggled on when a user attempts to login to your company's Pinpoint (when they go to yoursubdomain.pinpointhq.com/users/sign_in) they will be automatically redirected to your identity provider to login.

This can avoid confusion and unnecessarily forcing users to click a button when they hit the Pinpoint login page.

Configure User Access in your Identity Provider

Follow your own internal policies to configure user access to the Pinpoint application.

Please note that if a user does not yet have an account in Pinpoint, and attempt to login, they will see a notice screen instead. Add this user to Pinpoint manually for single-sign on to work.

Configure User Access in Pinpoint

Follow the steps in our guide How do I manage user access in Pinpoint?

Just-in-Time Provisioning

Please note that our current SAML implementation does not yet support Just in Time account creation ('Provisioning'). This means that a user will only be logged in to Pinpoint if their account has already been created.

Did this answer your question?