What is single sign-on?
Single sign-on (SSO) lets you authenticate your login to different systems using the same login credentials. For LeadDesk this means you can log in to your LeadDesk user account(s) using your Azure AD or Google Workspace account.
User federation
LeadDesk SSO supports login events, but does not enable creating, updating or deleting users.
The user needs to already exist in LeadDesk and be Active in their LeadDesk user details.
Login flow
Whenever possible, LeadDesk uses a hybrid flow to quickly gather identity information from the Identity Provider (IdP) with minimal network requests. This diagram shows the flows of interactions when logging in using SSO and a supported IdP.
For an alternative view of the login process, see Login flow with built-in SSO IdP below.
Technical information
Technologies
- LeadDesk has built-in support for OpenID Connect.
- OpenID Connect gives support for the Identity Providers (IdP) Azure AD and Google Workspace.
- Azure AD and Google both use email addresses as their identifier.
Note that Azure AD uses a few national portals which use different API endpoints and as such are not supported. This means you cannot use US government or Chinese Azure AD accounts to sign in to LeadDesk.
SAML 2.0
Support for SAML (Security Assertion Markup Language) in LeadDesk is only available through separate integrations that must be built for individual clients.
Settings in LeadDesk
Order the LeadApp
To use single sign-on for your users, you will need the appropriate LeadApp, available from the Lead App store:
User accounts
Any account that will use SSO to login will need to have the user's email in their account's contact information. In your Admin account:
- Go to the Users page.
- Go to the User list subpage.
- If necessary search for the account to update.
- Click on the account name to edit it.
- Go to the Contact information section and type the users Email.
- Click the Save button.
Requiring SSO
To make Single Sign On use mandatory for users with a particular account level, in your Admin account:
- Go to the Users page.
- Go to the Settings subpage.
- In the Single Sign On section, click to tick the roles for which single sign on should be mandatory.
Remember that making SSO mandatory for a role will mean each account with that role must have the user's email address in their account information.
- Click the Save button.
Settings for Microsoft's Azure AD
Generally, no additional settings are required on the Microsoft side, unless you have used Microsoft Entra to prohibit users from using external applications without permission. In this case you will likely want to grant permission to the LeadDesk SSO application for all users. Microsoft Entra refers to this as granting "tenant-wide admin consent".
Contact your LeadDesk CSM for help with this.
Login flow with built-in SSO IdP
This diagram illustrates the flow of a login using SSO to connect to a supported Identity Provider (IdP).