Single Sign On (SSO) allows users to use a single login for multiple applications, simplifying the lives of both IT and your team on Drift. Our SAML 2.0 Implementation will allow team members to sign in securely through any identity provider. Here's a guide for configuring your IDP if you're not using Okta, OneLogin, or Azure.
Single Sign On is available on any paid Drift plan, starting with Premium.
Settings to Include
Drift will look for the following elements in the SAML Assertion:
Drift SSO post-back URL
This is also known as the Assertion Consumer Service URL. It handles the SAML Assertion returned from the Identity Provider after the user has been logged in.
Note: If you're an EU-based customer, your URL will be:
Drift Entity ID
The ID that can be used to uniquely identify requests coming from the Drift Service Provider.
Drift Default RelayState
The URL to which users will be redirected in the IdP-initiated flow.
<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"> firstname.lastname@example.org </saml:NameID> </saml:Subject>
<saml:AttributeStatement> <saml:Attribute Name="Name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> Drift User </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
Drift supports Service Provider Initiated and Identity Provider Initiated flows, as well as Just In Time user account provisioning. Drift only supports HTTP POST binding, not HTTP REDIRECT binding. Your Identity Provider must ensure a user is both authenticated and authorized before sending back an assertion.