The purpose of this article is to provide direction to Outreach Admins in configuring a SAML IdP SSO.
Outreach is now compatible with Single Sign On (SSO) applications like Okta, Salesforce, and Onelogin. This article is specific to connecting a SAML IdP other than Okta, Salesforce and Onelogin, but if you would like to connecting those applications, you can follow the hyperlinks below:
Outreach users with:
- The ability to create an application inside of your IdP
- Outreach Admin Privileges
- If the SSO Provider is Ping Federate, it must be configured to include Certification Keyinfo=True.
Step 1. Create IdP application:
1.1 Create an application inside your IdP and use some “placeholder” values for the following typical settings:
- ACS URL / Single Sign On URL (e.g. http://outreachfake.com)
- Audience URI / Service Provider Entity ID (e.g. fake_change_later)
In step 3 below, you will come back to fill in the correct values for the above fields.
1.2 After creating the application inside your IdP, please take note of its “Issuer," “SP-Initiated POST Endpoint”, and the “Idp Certificate”. You will use them in Step 2.3 below.
Step 2. Create the Identity Provider inside Outreach Accounts
2.1 As an Outreach admin, navigate to the Org’s Setting page. Navigate to Sign and password options and click edit.
2.2 If it is an org without Idp setup, click “Add Identity Provider”.
2.3 Add the requested identity provider information
The information requested in this section is from step 1.2 above.
Note: The above screenshot contains two advanced settings: "Use NameId Instead of Email" and "Enable just-in-time new user provision". We do NOT recommend checking these options unless the functions of each are understood and needed by your organization. You can read more on these advanced settings in Advanced Settings For Identity Provider (SSO).
2.4 Retrieve setup information from Outreach to put into your IdP provider
Now find the “Setup Info” section. Copy the “Setup Info”: “ACS URL” and “Service Provider Entity ID” information. You will update the IdP application with this information in step 3 below.
NOTE: This screenshot says “Okta”, but the screen will look similar for other other IdP applications.
Step 3. Update IdP application
Now go back to your IdP application you created in step 1, and update the application settings:
- ACS URL / Single Sign On URL: Use the value for "(ACS) URL” from step 2.4
- Audience URI / Service Provider Entity ID: Use the value for “Service Provider Entity ID” from step 2.4
Step 4. Enable SSO inside Outreach Accounts
4.1 Return to your Outreach account and click “Test” to see if the identity provider is set up correctly.
If successful, you should see a success page. Please examine the “User email” and make sure it matches with user login email inside Outreach.
4.2 Click “Back”, check “Enable”, and click “Save”.
Note: This screenshot says “Okta”, but the screen will look similar for other other IdP applications.
Congrats! SSO is now enabled!