Integrate with an identity provider and log in with SAML SSO

Integrating Intercom with your identity provider makes logging in simple and secure for your team.

Follow the steps in this article to configure your identity provider, to require SAML SSO (Single Sign On) from all your teammates, or offer it as one of your sign in options.

Important: 

• SAML SSO is only available with certain Intercom plans. See our plans and pricing here.

• It’s not possible to log in to the Intercom conversations mobile app with SAML SSO.

Configuring your identity provider

To enable SAML SSO, go to Settings > Security and click “Require SAML SSO”, under “Authentication methods”:

Note: You must have permission to access general and security settings to enable this.

The first thing you’ll see is the unique SAML name for your workspace:

You’ll need to include this in place of <SAML Name> with the following information to configure SAML SSO with your identity provider. Choose the URL format (app./app.eu/app.au) that matches your workspace URL. You will only need one URL per workspace.

• Single Sign-On URL (choose one)

• https://app.intercom.com/saml/<SAML Name>/consume

• https://app.eu.intercom.com/saml/<SAML Name>/consume

• https://app.au.intercom.com/saml/<SAML Name>/consume

  Choose the URL format (app./app.eu/app.au) that matches your workspace URL. You will only need one URL per workspace.

• Recipient URL (choose one)

• https://app.intercom.com/saml/<SAML Name>/consume

• https://app.eu.intercom.com/saml/<SAML Name>/consume

• https://app.au.intercom.com/saml/<SAML Name>/consume

• Audience restriction/Entity ID (choose one)

• https://app.intercom.com/saml/<SAML Name>

• https://app.eu.intercom.com/saml/<SAML Name>

• https://app.au.intercom.com/saml/<SAML Name>

• NameID

• Email address

• Signed Assertions

• Yes

• Mapped Attributes

• firstName (User's first name)

• lastName (User's last name)

• Encryption

• AES256_CBC with this certificate:

-----BEGIN CERTIFICATE-----
MIIDKTCCAhGgAwIBAgIESfKRDDANBgkqhkiG9w0BAQsFADBFMREwDwYDVQQKEwhJbnRlcmNvbTEV
MBMGA1UECxMMRGV2IFBsYXRmb3JtMRkwFwYDVQQDExBTQU1MIENlcnRpZmljYXRlMB4XDTE2MTIx
NDE2MjYyN1oXDTI2MTIxMjE2MjYyN1owRTERMA8GA1UEChMISW50ZXJjb20xFTATBgNVBAsTDERl
diBQbGF0Zm9ybTEZMBcGA1UEAxMQU0FNTCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMYDcgFR7BMrGPMNTVERsAXOZoaz+ObJaKAtSWbq6J7upmEvr7wm7KmIOGiT
dqsA5vhJUBRC4pPxTpB6l34LYQ2CcfGYP0TQtrpBuHtkSVPe5Tu1q4ri4YpiWLzkO6TdFDvIKiD1
41gYjPkypTYGHQ0YRoHJVLibk55nJcjX1GjwXpDLYOa9r4LrGzOHV1o7p/C1GoPu8/5GzgtP0faO
4iDgcz0681WQvN4sg4kL24geouBrIfl5Xa0WmFAmQDtaYZ22V2hPgmivcw4l0mnHuHRKiYdKuIBr
kj9miEL1YMexMgUoAm7TbMIqPu1s3k9HcJ75Ksk1LUnxKRYdTlZRPd0CAwEAAaMhMB8wHQYDVR0O
BBYEFNX3lHt+SDJSghNBEmdyvxwZ9A8JMA0GCSqGSIb3DQEBCwUAA4IBAQBE8HPVU1fM2KJ4+WSL
Tz1AO3R/HMfI9Vjf8g5TvRWixhRwFG6hWxnMfqn6+/O3KZTyOszhcMn1i+yIk6kfG//C8jVN0BdR
f45VY0zFYn6veUe5l0Mwrc98SVTS2bIYNjkC1uPfRURNY+TlLqfzAcJYKIPlrpV8sDWGk22ouQeS
pBDiC4bFt5rpxbDOHZ8yiEWFWXSplA/7lAK6WfGll9JYZIXIUG9IkrqqAU8Rdl4ap7R+5hnpHm7h
XxGKbY9QL+sr4SbGOUVBuO9ilLNis1mRAfJ8YEu8Aw4rRMBMTTVzdkBk0keMMJNdjvWDNmwOwECF
qpawtT0JQBFUdm+03Ow+
-----END CERTIFICATE-----

Important: This is not required if integrating with OneLogin or Okta, as the apps include these details automatically.

To integrate, you’ll also need to add the following information in Intercom from your identity provider: 

• Identity provider Single Sign-On URL — This is the URL used to start the login process.

• Public certificate — This allows Intercom to validate SAML requests from your identity provider. It must be an X.509 certificate.

Tip: If your identity provider supports it, you can also define a session duration in your identity provider's configuration, which sets the length of time before a teammate's session expires and they must log in to Intercom again. If this is not set, the default duration is 3.5 days.

Next, specify the domains which are allowed to authenticate with SAML SSO. Enter a domain under “Allowed domains”, and click “Add domain”:

Then, you must verify that you own the domain by adding a TXT record in your DNS settings with the values shown here:

Note: If you do not have access to your DNS provider, you may need help from someone on your team.

After adding the TXT record in your DNS settings, click “Verify DNS record”:

Tip: If you have just created the DNS record it may still be propagating, in this case you’ll see the following warning message: “Unable to verify DNS record. Please try again later.”

Once the DNS record is verified, you’ll see a success message and the domain will appear here:

If you need to add more than one domain, repeat this process for the others. 👌

Choose to enable Just-in-Time (JIT) provisioning

Just-in-Time provisioning will automatically add teammates to your Intercom workspace the first time they sign in with SAML SSO, if they don’t already have an Intercom account.

To enable this, check the box here:

Then, define which permissions new teammates should have when added by JIT provisioning:

Important: New teammates will only be added if you have available Inbox seats.

Allow other login methods as you transition to SAML SSO

To ensure that all of your team are able to log in successfully with SAML SSO before disabling other login methods, you should leave this option checked, and select your preferred login method by clicking the link on the right:

Important: To uncheck this option and enforce SAML SSO as the required login method, you must be logged in with SAML SSO. You can do this after saving your settings. 👇

Finally, save your settings, and test your configuration by authenticating with your identity provider:

Configuring SAML with OneLogin

It’s easy to configure SAML SSO with OneLogin. Just use the Intercom app in the OneLogin store.

Go to “Applications” in your admin page and click “Add App”: 

Then, search for the “Intercom SAML 2.0” app, and add it: 

After adding the Intercom app, open the Configuration tab, and enter the SAML name for your workspace:

On the SSO tab, copy the "SAML 2.0 Endpoint" URL and paste it in your workspace's SAML settings:

Finally, click “View Details” under the certificate and copy this to Intercom too: 

Now you can authenticate with OneLogin and save your settings in Intercom, and you’re ready to go. 👌

Configuring SAML SSO with Okta

Easily set up SAML SSO with the Intercom app in the Okta app store.

Go to “Add Application” in your admin page and search for Intercom. Click “Add”:

Proceed to step 2, and view the setup instructions:

These instructions are tailored to your Okta account and contain the following:

• Identity provider issuer URL.

• Public certificate.

You must copy and paste these values into your workspace's SAML settings.

After adding the URL and certificate, return to Okta and enter your workspace’s SAML name under “Advanced sign-on settings”:

Note: See above for instructions on how to find your SAML name.

Next, save the Encryption Certificate provided by Okta as intercom.pem and upload it here:

Now you can save your settings in Okta and then confirm the authentication in Intercom, and you’re all set. 👌

What’s next?

• Create custom roles in Intercom to manage your team’s permissions easily.

• Check out this collection for other ways to keep your workspace secure.