Set up Single-Sign On (SSO)
This page describes the generic setup for both OpenID and SAML types of integration.
Last updated
This page describes the generic setup for both OpenID and SAML types of integration.
Last updated
In Bird, a user with either the Organization Owner or Owner role.
Access to setup an application/integration in your Identity Provider.
Access to your domain's DNS records for domain verification.
DNS records
You'll need access to the DNS record for every domain that you and your team use to login to Bird.
For example:
If you login to Bird with an email address such as user@mydomain.com
then you will need to edit the TXT record for mydomain.com
.
If you also have users login via user@myotherdomain.com then you will also need to edit the TXT record for myotherdomain.com.
When setting up an OpenID integration with your identity provider, start by creating the setup on the identity provider side.
The main configuration item that will be needed is the redirect sign-in URL which is https://api.bird.com/auth/oidc/callback
.
Once the setup is complete, make sure to take a copy of the OpenID Client ID and Client Secret as these will be needed to complete the BirdCRM side of the setup.
Navigate to the SSO setup page by clicking on your Avatar in the bottom left, then selecting Settings and clicking on the Security tab.
Click Set Up SSO, then select OpenID.
Fill out a name for the SSO setup and fill out your identity provider URL as the Issue URL. This URL will depend on which identity provider you use. As an example, in Okta the format is normally companyname.okta.com
.
Fill out the Client ID and Client Secret that you generated and saved while setting up the integration in your identity provider.
In Other Scopes, fill out email and then select ‘New scope: email’ to add it, as shown in the screenshot below.
The setup should look something like this:
Click Confirm and your SSO configuration will be saved.
Now you need to set up the identity provider initiated login. From the Single-Sign On page, click on the 3 dots menu on the right of the identity provider you have configured, then click View.
You can see the Initiate Login URL at the bottom. Copy and paste this into the appropriate field in your Identity Provider configuration.
In order to restrict logins to only domains that you control, each unique domain you and your users login from will need to be validated. This is done via adding a TXT DNS record to the domain(s).
First click on the Domain Validation button available when viewing your SSO integration.
Enter your company domain name that you login with (e.g. companyname.com) and click Create.
You will then be presented with a unique string under the Challenge column that needs to be placed as a TXT record in your domain. If you are unsure how to add a TXT record please consult with your DNS provider.
Once you have added the TXT record to verify your domain, you can select Verify
If the TXT record was added correctly it will then show the Status of Verified.
You can now sign in with SSO!