The purpose of this article is to provide information to Outreach Admins regarding advanced settings for Identify Provider (SSO).
- Outreach Users
Advanced Settings For Identity Provider (SSO):
There are a few advanced settings for your SSO configuration, which should only be used in the scenarios described below.
In the below screenshot, you will see the following two settings highlighted: “Use NameId instead of Email” and “Enable just-in-time new user provision”. These are advanced settings that should be used with caution.
Use “NameId” instead of Email
In a normal SSO case, the email address you use to sign into your identity provider (e.g. Okta) will be provided from your identity provider to Outreach. Then Outreach will sign you in using the same email.
This option is desired in two scenarios, but these should be very uncommon scenarios:
Scenario 1: User has a different email address for Outreach than their IdP (Identity Provider)
The simplest solution is to change user’s login email inside Outreach to match your identity provider email - since we have separate setup for mailbox email, this should pose minimal user impact.
If that is not desirable, we can configure your identity provider to supply a custom formatted email address to Outreach. The actual setup varies depending on your identity provider, so it may need some experimentation.
Scenario 2: You have multiple instances of Outreach and want SSO
In general, we do NOT encourage you to perform this step. It can be very confusing for the actual users at times. Instead, they should rely on normal password setup (i.e. not SSO) for different instances.
But if SSO is needed for more than one instance, you need to rely on your identity provider for multiple app tiles. For example, in Okta, you can create different applications with different settings. One application can provide normal login email to Outreach, the other can provide a “custom format email” to Outreach (see “Scenario 1” for an example).
Then for different instances in Outreach, link to those different applications in your identity provider, and turn on “Use NameId instead of Email” for all of these instances.
Now if a user has logged into the identity provider, they can click on different app tiles to go to different instances of Outreach.
How to setup "NameId" in Okta and Salesforce
In the Okta app, you can set up "NameId" like so:
In Salesforce this can be configured by utilizing the steps below:
Then turn on “Use NameId instead of Email” in the SSO setup in Outreach.
Just In Time Provision
When a user exists in an org’s external IdP (identity provider), but does not have an Outreach account yet, we can turn on “Just In time Provision” - so that the first time the user tries to login, we will redirect to the org’s external IdP for authentication. Upon successful IdP login, that IdP will supply the user’s email to us. We will create an Outreach account for that user in your organization, then allow the user to login. If your organization is at its max seat count, we will not create an account for the new user and a failure message will appear with instructions to reach out to the administrator.
When enabling this setting, we need to also define an email domain for that org. When the user initially signs into Outreach, we can inspect their email and correctly link the user to the corresponding org and IdP. Note that this email domain needs to be truly and uniquely owned by your organization. In other words, a generic domain like “gmail.com” will not work.