Simplifying Secure Access with SSO in Saleshandy🔏
For businesses that prioritize security and streamlined access, Single Sign-On (SSO) is an essential feature.
Saleshandy now supports SSO, allowing users to log in through their organization’s identity provider (IdP) such as Okta, Microsoft Entra(formerly Azure AD), Google Workspace, Auth0, Onelogin, IBM Security, Ping Identity, Jumpcloud.
Apart from these IdP, we also support all other IdPs.
This centralized authentication system minimizes security risks and simplifies user management.
Step-by-Step Guide to Setting Up SSO in Saleshandy📃
Step 1: Go to the Admin Tab in Saleshandy
Start by navigating to the Settings > Admin Settings tab in Saleshandy.
Step 2: Check SSO Eligibility
Locate the SSO settings and verify if your plan supports SSO.
If your plan does not support SSO: You will receive an error message with an option to upgrade.
If eligible: Proceed to enable SSO for your organization.
Step 3: Enable SSO & Enter Company Name
Enable SSO and a pop-up will appear, click on proceed
“By enabling SSO Login, all members in your Saleshandy account k will no longer be able to log in using passwords. Everyone will be required to log in exclusively through SSO. Please proceed with caution.” |
Now fill in the Display name and Authorized Domain for Login.
Please note: Saleshandy SSO will only allow SAML logins from the email addresses associated with the domain you added, and members should be invited to Login. |
You can:
Add new domains
Edit existing domains
Remove domains. Once domains are set, now generate the SSO setup URL by clicking on create.
You can copy and paste the list of domains with or without separator and it will automatically be added as separated domains in the domains list box.
Step 4: Generate External ID and Address Setup Issues
Saleshandy will automatically generate an external ID for your company.
Your organization ID and setup URL will be displayed for configuration.
If there’s an issue with the setup URL, a warning message will appear. Regenerating the setup URL will invalidate the previous one and display a new link.
Step 5: Configure SSO
Go to the setup URL, select Create SAML Connection, and choose your identity provider.
Security Assertion Markup Language, or SAML, is a standardized way to tell external applications and services that a user is who they say they are. SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications. |
You will then be guided through the steps to configure your provider-specific settings. There will be a step-by-step guide to create SAML connection once you select your IdP provider.
Now let's see how you can set up SAML.
Example: Setting Up SAML with Google Workspace
If you are an admin or owner, follow these steps to set up SSO in Saleshandy for your organization:
Navigate to admin.google.com > Apps > Web and Mobile Apps. Click Add app > Add custom SAML app.
Enter a Name, Description (optional), and Upload a logo, then Click on continue
Now download the Metadata file.
Navigate back to your setup URL and Click on next till you reach the Download metadata step.
Upload the GoogleIDPmetadata.xml file in the Saleshandy SAML connection settings that you downloaded in the previous step, and Click submit.
Now click "Continue" in Google Console, if you haven't already. You should see a screen titled "Service provider details".
Configure the ACS URL and Entity ID by copying from Setup URL and pasting them into Google’s service provider details.
Copy from here (Setup URL). Similarly, click on Next: Assign users to get Entity ID.
Paste in Google’s service provider details in console. Click Continue > Finish.
Assign users to the new app. If you're familiar with Google Workspace organizational units, use whatever process you normally use.
If you're not familiar with Google Workspace organizational units, or you don't normally use them, here's the simplest way to assign users to your new Google Workspace SAML application:
To the right of "User access" is a button pointing down (). Click on it.
Click on "ON for everyone"
Click "Save".
Save changes and allow time for updates to take effect.
Finalizing SSO✅
Once configured, the SSO status in Admin Settings will update to configured.
If it shows "Not configured" even after you finish your setup, please refresh the page or click the refresh icon on the side.
If you want to add or edit the SAML connection simply click on the
Please note that to edit your primary SAML connection, click on the Connection ID
Here, click on Edit in SAML connection.
You will get a Pop-up to edit the SAML connection to set it by default or not.
To switch the active connection, simply enable the primary option for the SAML connection you want to use. This will make that connection the primary one, allowing it to handle SSO authentication for your applications.
Note📢 For SSO to function correctly, at least one primary connection must be kept. Without a primary connection, you won't be able to log in, and you'll have to log in with your ID and password. |
All users will have to log in using Login with SSO method :
SSO Login Requirements
Users will be redirected to their IdP for authentication.
If SSO is not configured for their email/domain, an error message will appear.
The "Forgot Password" option is disabled for SSO users.
SSO users cannot change passwords within Saleshandy; they must do so via their IdP.
Email changes require re-verification through the IdP.
New users can only access Saleshandy via an invitation.
Owners retain access via both email/password and SSO.
If an invited user initially logged in with email/password, their credentials will be revoked once SSO is enabled.
Managing SSO Settings
Owners can enable/disable SSO and manage domains in Admin Settings. A status table will display:
Organization ID
Display Name
Account ID
Domain
Configuration Status (Green: Configured, Red: Not Configured)
A Refresh button to update status
Owners can also edit domains and regenerate the SSO Setup link as needed.
Plan-Based Restrictions💳
SSO is available on Scale and Beyond plans only.
Users on lifetime deal plans cannot enable SSO.
If a plan expires or is downgraded, SSO will be disabled, and members must reset passwords to log in.
Clients cannot log in using SSO, they have to use ID and password.
Mobile App Support📲
The Login with SSO button will be available on the mobile app.
If the SSO token is valid, users will be logged in seamlessly.
If the token is expired/invalid, users will be redirected to the login page with an error message.
Security Measures📢
Two-Factor Authentication (2FA) is disabled when SSO is enabled, with a tooltip notifying users.
Robust security protocols ensure token safety and prevent unauthorized access.
By following these steps, organizations can efficiently enable and manage SSO in Saleshandy, enhancing both security and user experience.
Frequently Asked Questions (FAQ)
1. Who can enable SSO in Saleshandy?
SSO is available for users on Scale and Beyond plans. If you're on a lifetime deal or a lower-tier plan, you’ll need to upgrade to enable SSO.
2. Can users log in with passwords after enabling SSO?
No, once SSO is enabled, all users must log in through their organization's IdP. Password-based login will be disabled, except for account owners.
3. What happens if my plan expires or is downgraded?
SSO will be disabled, and users will need to reset their passwords to log in. Account owners will receive a warning about the expiration.
4. What are the IdPs you support?
Saleshandy now supports SSO, allowing users to log in through their organization’s identity provider (IdP) such as Okta, Microsoft Entra(formerly Azure AD), Google Workspace, Auth0, Onelogin, IBM Security, Ping Identity, Jumpcloud.
Apart from these IdPs, we also support all other IdPs.
5. Can I edit or update domains after enabling SSO?
Yes, owners can add, edit, or remove authorized domains from the Admin Settings.
6. What happens if there's an issue with the setup URL?
A warning message will appear, and you can regenerate the setup URL, which will invalidate the previous one and provide a new link.
7. How do invited users log in with SSO?
New users can only access Saleshandy via an invitation. If they initially log in with email/password, their credentials will be revoked once SSO is enabled.
8. Does SSO work on the mobile app?
Yes, the Login with SSO button is available on the mobile app. If the SSO token is valid, users will be logged in seamlessly. If expired, they will be redirected to the login page with an error message.
9. What security measures are in place for SSO?
Two-Factor Authentication (2FA) is disabled when SSO is enabled.
Saleshandy follows robust security protocols to protect authentication tokens.
Email changes require re-verification through the IdP.
10. Can Owners disable SSO if needed?
Yes, owners can enable/disable SSO and regenerate the setup link if necessary. However, disabling SSO will require users to reset their passwords to log in again.
11. Why is the status not marked as configured?
If the status is not marked as "configured," try refreshing the page or settings. This is often necessary for the changes to take effect and for the status to update accordingly. A page refresh ensures that the system recognizes the new configurations and reflects the correct status.
12. I’ve configured my SSO, but it still shows "Invalid Email Address" at login. What should I do?
If you’re seeing the "Invalid Email Address" error after configuring your SSO, ensure that you test the connection at the final step when setting up SSO. This will confirm that the configuration is working properly. If the issue persists, head over to your Identity Provider (IDP) and verify that the SSO is enabled for everyone or for the specific users who are assigned access. Only users with the correct access permissions will be able to log in successfully using SSO.
13. What should I do if I have multiple domains and emails for SSO?
If your organization uses multiple domains and emails for SSO, it's essential that all these accounts are under one SSO Identity Provider (IDP) account. You cannot use different accounts from different services as the primary SAML connection. All related domains and emails must be centralized under a single IDP account to ensure proper authentication and smooth SSO functionality.
14. What happens if you disable the primary Single Sign-On (SSO) option?
To ensure that Single Sign-On (SSO) works correctly, you must configure one primary connection in your SAML settings. You cannot have multiple primary connections. If you disable the primary connection, SSO may be disabled, and you will be required to manually log in using your username and password to reconfigure SSO. Keeping a primary connection ensures smooth authentication and uninterrupted SSO functionality across your applications.
15. Can I add multiple SAML connections, and how do I choose or switch between them?
Yes, you can configure multiple SAML connections for your organization. Depending on your needs, you can choose which one to use by heading over to the SSO setup link and then Edit the SAML Connection section. To switch the active connection, simply enable the primary option for the SAML connection you want to use. This will make that connection the primary one, allowing it to handle SSO authentication for your applications.