Search documentation...

K

Single sign-on

SAML single sign-on (SSO), SSO groups, and SCIM provisioning are only available on Business Tier plans.

Overview

Hightouch helps customers manage large teams via a third-party identity provider, such as Okta and Azure Active Directory (Azure AD). We support the following integration points and security standards:

Integration pointSecurity standard
User account creationSAML SSO
Role and workspace assignmentSSO groups
User account updates and deletionsSCIM

Hightouch supports the following SSO providers:

  • Okta
  • Azure Active Directory
  • Auth0
  • OneLogin
  • PingIdentity

SAML single sign-on

SAML single sign-on (SSO) provides just-in-time (JIT) provisioning. With SSO configured, when members of your organization go to the Hightouch login screen, they can select Enterprise Sign-in to access your workspaces.

When they try to sign in to Hightouch, Hightouch uses the credentials given by your identity provider. If the credentials are authorized, Hightouch signs the user in. If it's a credentialed user's first time signing in, Hightouch provisions an account for that user.

With SSO enabled, Hightouch also checks for updates in user attributes. That way, if a user's email changes, Hightouch gets the updated details when they sign in again.

The SAML configuration process may differ slightly depending on the identity provider. You can find detailed instructions for Okta and Azure Active Directory in the following sections, but the process is similar for other identity providers.

Single sign-on use with password sign-ins

In some cases, you may want to have both SSO and password-based access. For example, you may want everyone in your organization to access Hightouch via SSO but also want to invite third-party contractors with a different email domain to your workspace.

To allow both SSO and password sign in, you can toggle on Allow inviting users in the Single sign-on tab on the Settings page. If you only want to allow access via SSO, leave the Allow inviting users setting toggled off.

If users signed into your workspace before you configure SSO, and then sign in with SSO after it's enabled, they will have duplicate user profiles: one for previous non-SSO account and one for their SSO account. You can safely delete the non-SSO user profile from the Members tab, but it's not necessary to do so. Hightouch doesn't enforce SSO, so users can continue to sign in either through email or SSO.

If there are any users in your Hightouch workspace that aren't members in your identity provider and should be, delete them from Hightouch and re-add them via the identity provider to avoid duplicate user profiles.

Okta SAML SSO configuration

  1. In your Okta instance, create a new SAML application.

Okta's Create a new integration modal.

  1. Name a descriptive App Name for your SAML integration, for example, "Hightouch."

Okta SAML integration general settings

  1. In Hightouch, open the Single sign-on tab on the Settings page. Click Add SAML SSO to open a modal with SAML URL and SAML Audience URL.

Hightouch SSO Connection settings

  1. Configure your SAML Settings in Okta with the SAML URL and SAML Audience URL shown in the Hightouch modal.

Okta SAML settings

  1. In your Okta instance, set attribute mappings for name and email Attribute Statements and any Group Attribute Statement. For example, you may set your name Attribute Statement to something like String.join(" ", user.firstName, user.lastName).

Okta attribute statements

  1. In the Hightouch modal opened in step 3, enter the Identity Provider Single Sign-On URL and upload the x.509 Certificate Okta provides.

Okta IdP SSO URL and certificate

  1. Click Save.

Members of your organization can now select Enterprise Sign-in on the Hightouch login screen to access your workspaces. You can also share your Hightouch workspace with others in your organization by sharing the link under Copy your Single sign-on login URL on the Single sign-on tab on the Settings page.

Azure AD SAML SSO configuration

  1. Navigate to the Azure Active Directory gallery and select Create your own application.

Azure AD App creation

  1. Select Set up single sign-on in the newly created app.

Azure single sign-on setup

  1. Select SAML as your single sign-on method.

Azure single sign-on methods

  1. In Hightouch, open the Single sign-on tab on the Settings page. Click Add SAML SSO to open a modal with SAML URL and SAML Audience URL.

Hightouch SSO Connection settings

  1. Configure your SAML Settings in Azure AD with the SAML URL and SAML Audience URL shown in the Hightouch modal.

Azure basic SAML configuration

  1. In Azure AD, set attribute mappings for name and email, if they haven't already been set.

Azure required claims and values

  1. In the Hightouch modal opened in step 4, enter Azure's LoginURL as the Identity Provider Single Sign-On URL and upload the Certificate Base64 as the x.509 Certificate.

Azure AD certificate

  1. Click Save.

Members of your organization can now select Enterprise Sign-in on the Hightouch login screen to access your workspaces. You can also share your Hightouch workspace with others in your organization by sharing the link under Copy your Single sign-on login URL on the Single sign-on tab on the Settings page.

Access management with SSO groups

It can be challenging to manually manage multiple users' roles and permissions in a large organization. If you use a third-party identity provider like Okta to manage groups, you can map those groups to the workspaces and roles the user should be assigned in Hightouch.

With SSO groups configured, when a team member signs in to Hightouch with SSO for the first time, Hightouch checks the user's credentials with the identity provider. Once the identity is confirmed, Hightouch assigns the workspaces and roles that the user should have depending on which groups the user belongs to in your identity provider.

If a user belongs to multiple groups in your identity provider, Hightouch assigns their role based on the group with the highest priority. For example, imagine some users belong to two groups called "Marketing" and "Everyone." If "Marketing" has a higher priority than "Everyone" in your identity provider, Hightouch assigns the role associated with "Marketing" to those users.

Group prioritization in an identity provider

Without SCIM configured, Hightouch applies SSO group changes when a user signs in to their account, not when an identity provider administrator makes changes in the identity provider. Therefore, if using SSO groups without SCIM, a user's Hightouch role is updated after they sign in next, assuming a Hightouch role is mapped to their new group. Configure SCIM to push updates from your identity provider to Hightouch automatically.

SSO group setup

You must configure SAML SSO before configuring SSO groups.

  1. In your identity provider, confirm users are members of the correct groups and that groups are correctly prioritized.
  2. In Hightouch, open the Single sign-on tab on the Settings page.
  3. Under Map your SSO groups to Hightouch roles, you can see a complete list of groups from your identity provider. The list is replicated for each workspace so that one row represents that group's role in the respective workspace. For each group, select the Hightouch role that group members should be assigned from the dropdown. If you don't select a role for a group, Hightouch uses the default role for that workspace.

SSO groups assignments

  1. Click Save.
  2. (Optional) You can disable using the workspace default role by going to the Settings page and toggling Use default role for SSO users off. By turning the setting off, single sign-on users must have their identity provider group mapped to a Hightouch role. Without that mapping, they won't have access to the workspace.

Role assignment

When assigning users to Hightouch through group assignments in your identity provider, the user's role in Hightouch is:

  • The mapped role in a Hightouch workspace for that user's group.
  • If you don't map the user's group to a Hightouch role, the workspace default role.
  • If there is no workspace default role, or you have disabled using the workspace default role, the users aren't members of those workspaces.

Role assignment flowchart

To ensure that users are all assigned their correct Hightouch roles and have the appropriate permissions, it's best to map your SAML groups to Hightouch roles in your SSO settings.

Automatic provisioning via SCIM

You must configure SAML SSO before configuring SCIM. Though it's not necessary, we also recommend configuring SSO groups in addition to SCIM.

When you configure SAML SSO with Hightouch, users are created and updated manually each time they log in to Hightouch.

To make user identity management easier, you can opt-in to automatic provisioning with SCIM. SCIM stands for "System for Cross-domain Identity Management" and is a specification for automating user identity update between cloud-based applications.

Using SCIM, changes in your identity provider are automatically pushed to Hightouch, including activating, updating, and deactivating users.

You need a Hightouch SCIM API token and the Hightouch SCIM URL to configure automatic provisioning.

Generate a SCIM API token

To generate a new SCIM API token:

  1. Go to the SSO tab in Hightouch.
  2. Click Generate SCIM token.
  3. Copy the generated token.

Copy the token and keep it safe; once the modal closes, you won't be able to access it again.

You should use this token as a Bearer authentication token when enabling your SCIM integration.

Set up SCIM in your identity provider

Hightouch supports SCIM version 2.0.

The Hightouch SCIM URL is https://api.hightouch.com/api/scim/v2.

Hightouch uses the unique identifier field for users as userName.

Hightouch supports the following provisioning actions:

  • Import new users
  • Update user profiles
  • Push new users
  • Push profile updates
  • Push groups

If you're using Okta as your identity provider, you can follow their SCIM documentation to complete the set up process.

If you are using a different identity provider, search for their instructions to configure SCIM.

    Need help?

    Our team is relentlessly focused on your success. We're ready to jump on a call to help unblock you.

    • Connection issues with your data warehouse?
    • Confusing API responses from destination systems?
    • Unsupported destination objects or modes?
    • Help with complex SQL queries?

    Feature Requests?

    If you see something that's missing from our app, let us know and we'll work with you to build it!

    We want to hear your suggestions for new sources, destinations, and other features that would help you activate your data.

On this page

OverviewSAML single sign-onSingle sign-on use with password sign-insOkta SAML SSO configurationAzure AD SAML SSO configurationAccess management with SSO groupsSSO group setupRole assignmentAutomatic provisioning via SCIMGenerate a SCIM API tokenSet up SCIM in your identity provider

Was this page helpful?