This feature is available on Subscription plans.
Before configuring SSO on your Logikcull account you will need to add Logikcull to your identity provider/directory service. Logikcull supports SAML connections. Many Logikcull customers use Azure AD, Google IdP and Okta, therefore we have provided guidance for configuring Logikcull SSO in each of these identity providers/directory services (linked above). If you do not use one of the providers listed above, follow your provider’s instructions for configuring customer SAML apps.
Logikcull supports SAML 2.0 SP-intiated SSO integrations. Users will login to Logikcull at https://login.logikcull.com.
Please be sure to read the instructions provided below prior to configuring SSO.
Required Metadata
We have provided the applicable metadata you will need here below.
SSO URL: https://login.logikcull.com/login/callback?connection=[Connection ID]
Entity ID: urn:auth0:logikcull:[Connection ID]
For example, if you are provided with the connection ID 123 by the Logikcull team, you would use the following values:
Entity ID: urn:auth0:logikcull:123
If you have not received your Connection ID yet, please contact your Logikcull account manager or support@logikcull.com.
01 USER ATTRIBUTES
[ ] Logikcull requires that each user has the following attributes in your IdP (case sensitive):
Name ID
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName">jane.doe@testdomain.com</saml2:NameID>
First Name
<saml2:Attribute Name="given_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
Last Name
</saml2:Attribute><saml2:Attribute Name="family_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2: Attribute Name="email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
[ ] Logikcull usernames are the users’ email addresses. Please verify that for each user the email in your IdP matches the email for the user in Logikcull.
02 TEST USER READY
[ ] A test user is required to verify that SSO is working once enabled on your account. Please create a test user or engage an active user to participate in testing. This user must be granted access to your Logikcull account (and have accepted the emailed invite!) and assigned to the Logikcull app in your IdP. See User Attributes above for further information required for all users.
03 ADDING CURRENT USERS
[ ] All active domain users in your Logikcull account must be assigned to the
Logikcull app in your identity provider in order to authenticate and access Logikcull once SSO is enabled on our account. Before getting started with the SSO set up, make sure you have pulled a list of your Logikcull account users and grant them access to Logikcull in your IdP.
04 ADMINISTRATIVE RIGHTS
[ ] In order to enable SSO, you will need to have administrative rights to your Identity Provider service. Having your Logikcull account administrator available will be helpful!
Enabling SSO in Logikcull
Once you have read the guidance above and configured the Logikcull SAML app in your IdP, make sure you
have download the x509 signing certificate in a .pem or .cer format, and
copy the SSO login URL
In Logikcull go to your account preferences page and navigate to and click "Configure SSO". You will be prompted to enter your SSO login URL and upload the x509 signing certificate. You can optionally enter a logout URL if you so choose.
You will then click ready to test. When you do this, you as the Logikcull account admin should remain in this page in the app while you have your test user test logging in. Your test user should use a new browser or an incognito window to ensure that testing is not inaccurate due to a current Logikcull session or caching issues. When your test user is ready, click to confirm you are ready to test and have the test user test logging in. If they are successful, we recommend you have them logout of Logikcull (not just close the tab, but actually click to logout of Logikcull) and test again.
Upon successful SSO authentication you have two options:
Click "Reset" to disable SSO for now. You can repeat this 2.) Enabling SSO in Logikcull step when you are ready to enforce SSO for your users.
Click "Done" to enforce SSO for all your users. including yourself. Make sure if you do this that all your Logikcull users have been assigned to the Logikcull app in your IdP and that they are aware of the change in authentication method!
It is recommended that you do not display the tile for the Logikcull app in your IdP or generically provide a link to https://login.logikcull.com, as Logikcull SSO is SP-initiated, the login flow cannot be initiated by the IdP.
SSO Set-up troubleshooting
When configuring SSO, there are a few common errors that we can help you quickly check here. If you continue to experience issues, please contact support@logikcull.com.
1.) Double check each data entry you have made both in Logikcull and your IdP. An extra space, missed character, etc. can cause a failure.
2.) A user cannot authenticate and successfully access your Logikcull account unless the user has:
been invited to your Logikcull account in Logikcull;
accepted the invite by clicking the emailed invite link;
and has been assigned to Logikcull in your IdP.
Please make sure the above are all true for your test user prior to testing SSO.
3.) User emails are their usernames in Logikcull. You must ensure that the email being passed from your IdP matches the users email/username in Logikcull. A mismatch will result in failed authentication.
4.) Please be sure that users are logging in from https://login.logikcull.com vs. attempting to initiate the login from your IdP. Logikcull supports SP-initiated only, as this is a more secure implementation of SSO than IdP initiated SSO.
Frequently Asked Questions
How do I disable 2FA for my SSO (internal) users?
We strongly encourage that you leave 2FA enforced at the account level (under account preferences), and leave it to your SSO users to disable 2FA for their own user accounts by going to their user preferences. When SSO has been enforced for the user, they will be able to disable their 2FA setting. Leaving 2FA enforced at the account level will continue to enforce 2FA for your non-SSO (externally invited) users. As many Logikcull customers invite numerous external users, this is the best practice for maintaining layered login security controls.
Do I still need to invite users to the Logikcull account after SSO is configured?
Yes, Logikcull does not support user provisioning from your IdP at this time. Users must be assigned to Logikcull in the IdP and also invited to your Logikcull account(s) and project(s) as appropriate to their role from the Logikcull user administration tab in the app.