Single Sign On (SSO) allows users to use a single login for multiple applications, simplifying the lives of both IT and your team using Drift. Our SAML 2.0 Implementation will allow team members to sign in securely through any identity provider.
Here's a step-by-step guide for G Suite. If you have questions about implementing another Identity Provider, please chat in and our team will be able to assist!
Step by Step Guide (G Suite)
1. Go to your Google G Suite Admin page and choose Apps
2. Choose SAML apps
3. Click 'Add a service/App to your domain'
4. Click 'Setup my own custom app' at the bottom of the pop-up
5. Choose "Option 2", download your IDP metadata
6. Fill in the Basic information for your Custom Drift App
7. Insert the following Service Provider Details into the following fields:
- ACS URL: https://api.drift.com/auth/sso/saml/acs (Note: For EU-based users you'll use https://api.eu.drift.com/auth/sso/saml/acs)
- Entity ID: https://www.drift.com
- Start URL: https://app.drift.com
- Signed Response = checked
- Name ID Format = PERSISTENT
8. Click "Finish" to skip attribute mapping
9. Once completed, switch your new SAML App to "ON for everyone"
Step by Step Guide (Drift)
1. Login to your Drift account as an administrator.
2. Navigate to Settings > App Settings > Authentication and verify your domain so when a user tries to sign in with an email address under that domain, they will be redirected to Okta.
3. Drop the metadata file from G Suite (step 5) into the Upload Identity Provider metadata file (optional) section and we will automatically populate the Identity Provider Entity ID, SAML Redirect Endpoint, and the Identity Provider Public Key fields
4. Click on "Enable SAML" at the bottom of the screen
- Account Owners by default will not sign in via SSO. This ensures that if configuration isn't set up correctly, the Account Owner will always be able to log in.
Drift requires signed responses by default, but we can also check for signed assertions within those responses for additional security. Drift recommends enabling this feature as long as your IdP can support it.
We can sign SAML authentication requests for increased security. You can use Drift's public key to verify our AuthnRequest signatures.
What to expect after SSO is enabled
Going forward, all members will sign in to Drift with their IDP account. If you chose to require SSO, your members will see a sign in page before they can access your workspace.