Description
Setting up Single Sign-On (SSO) ensures members can securely access the BetterUp® platform. This page includes an overview of SSO, detailed configuration steps, and troubleshooting tips. The goal is to ensure a smooth and secure authentication process for users accessing the BetterUp platform.
Key takeaways
- BetterUp offers both self-service and guided support options for setting up SSO, with the latter recommended for complex setups or post-launch implementation.
- It’s advised to complete SSO setup before program launch to ensure seamless integration and minimize disruptions for users.
- Thorough testing of the SSO integration with your IT provider is crucial, and communication with members about the impact of SSO on login procedures is advised.
When to do this:
- Pre-Launch: Complete the SSO setup before your program launch date to ensure smooth integration and avoid any disruptions. This allows adequate time for testing and addressing any potential issues.
- Post-Launch: We highly recommend that you reach out first to your account manager to ensure that the SSO is set up correctly in order to avoid any disruptions for members.
Steps to complete:
Share this article and the accompanying guide with your internal IT team. Unsure of who to share this guide with internally? We suggest reaching out to any of the following individuals:
- IT Manager
- Application security administrator
- IT security engineer
- System administrator
- Network administrator
- Computer system manager
- IT coordinator
- Network engineer
Best Practices:
- BetterUp SSO setup is recommended to complete prior to a program launch date. However, if you are setting up SSO after the program has launched, this guide still applies.
- Your IT provider will want to test the integration before assigning the application to users in the Identity Provider (IdP). Once the integration has been tested, ensure that BetterUp app access has been granted to the correct members via your IdP before enabling.
- We highly recommend allowing access to your entire organization in your IdP to the BetterUp App (license provisioning is still managed within BetterUp). If you need to restrict access only to BetterUp members and admins, be aware that if the Manager Feedback tool is enabled, managers of members will also require access to the app.
- We recommend that you communicate with members what to expect when logging into BetterUp through SSO. Once SSO is enabled, it will impact your entire organization: members, managers, and partners will all be required to log in through SSO.
- Discuss with your IT provider if there are any special requirements you might need to consider such as including alternative emails or external IDs.
- This guide provides all the information for you to set up SSO via self-service. If you are working with the Tech IPM team and they have shared with you the SAML config information then you can skip the first part of this guide and continue to Configure BetterUp with your IdP.
- SSO can be set up with our self-service tool in the partner settings, if you need additional support please reach out to tech-ipm@betterup.co.
- If SSO has already been set up in the past and you are having any issues please reach out to our support team at support@betterup.co .
Troubleshooting:
Even when your SSO test is successful, there may be a few reasons for members experiencing issues with SSO. You can find more detailed information on SSO testing and troubleshooting and errors in the SSO Configuration guide.
Here are some common issues:
-
Your users are not provisioned for the app.
-
The user was blocked from signing in to BetterUp at the IdP and needs to be provisioned/assigned access to our service.
- Solution 1: Check that the emails of the members experiencing errors have been provisioned in the IdP to access BetterUp through SSO.
- Solution 2: Consult your IdP administrator with the included message.
-
The user was blocked from signing in to BetterUp at the IdP and needs to be provisioned/assigned access to our service.
-
There may be a member email mismatch.
-
Sometimes when a member has more than one email linked to BetterUp, and they’ve provisioned only one of these emails to access BetterUp through the IdP, the member may not see SSO activated for the other emails.
- Solution 1: Try logging in with another email address that may be associated with BetterUp.
- Solution 2: Check your IdP to ensure that your email has been provisioned to access BetterUp.
- Solution 3: Consult your IT provider with the included error message
- Solution 4: Contact BetterUp support about changing the email address associated with BetterUp.
-
Sometimes when a member has more than one email linked to BetterUp, and they’ve provisioned only one of these emails to access BetterUp through the IdP, the member may not see SSO activated for the other emails.
Additional Technical Remarks:
- SSO requirements include support for Service Provider-initiated SSO and SAML 2.0.
- BetterUp supports encrypted SAML assertions.
- Ensure email, first name, and last name attributes match between BetterUp and IdP.
- The guide also provides support on how to set up SSO on Azure, Google, Okta & PingFederate.
Related Resources
Please use this guide for step-by-step instructions on how to setup SSO