Note: SAML SSO is only available on the Supernode plan
Part 1:
Select the corresponding collapsible section for your SAML SSO Setup
SAML SSO with Okta
SAML SSO with Okta
Configuring SAML SSO with Okta
Configuring SAML SSO with Okta
❗️Important: You must be an admin to add Crossbeam as a new application
First, go to your Applications tab on Okta.
On the Applications tab, click Add Application.
Then you'll click Create New App.
In the pop-up modal:
Platform is Web
Sign on method is SAML 2.0
Click Create.
General Settings
App Name: Crossbeam
App Logo:
Right click and "Save Image As..." on our logo below!
App Visibility: (recommended) leave both unchecked
Configure SAML
Single sign on URL
Fill in the Single sign on URL in Okta with the Assertion Consumer Service (ACS) URL from your SSO Settings page in Crossbeam.
Audience URI (SP Entity ID)
Fill in the Audience URI (SP Entity ID) in Okta with the Entity ID from your SSO Settings page in Crossbeam.
Default RelayState
Leave blank.
Name ID format
Select EmailAddress
Application username
Select Email
Update application username on
Select Create and update
It should look like this:
You need to configure Okta to map its user metadata into a format that Crossbeam expects.
❗️Important
You will need to follow the spelling and capitalization EXACTLY as listed for the three fields below.
Set up the following attributes:
first (using Okta's user.firstName)
last (using Okta's user.lastName)
email (using Okta's user.email)
Like so:
Click Next.
Feedback
Are you a customer or partner?
Select: I'm an Okta customer adding an internal app
It should look like this:
The additional questions in the Feedback section are optional to complete.
Click Finish.
You should be taken to the Settings page on the Sign On page of your new app:
Click on View Setup Instructions in the settings box:
This will open a new tab with values you'll need to enter into Crossbeam:
Identity Provider Single Sign-On URL
X.509 certificate
You must copy and paste these values into your account's SSO Settings and click Save Settings.
🎉 You're all set!
Logging in to Crossbeam with your Okta SSO
Logging in to Crossbeam with your Okta SSO
Head to your SSO Settings page and grab your Organization Crossbeam Log In URL, that will look something like this:
This is the unique URL you'll need to log in to your organization on Crossbeam via Okta's SSO.
Logging in to Crossbeam via Okta
You can also assign people or groups to the Crossbeam app in Okta so that they can log in via the Crossbeam chiclet in their Okta dashboard.
Configure SAML SSO with Salesforce
Configure SAML SSO with Salesforce
Initial set-up steps to Configure SAML
Initial set-up steps to Configure SAML
✍️ Note
Certain attributes, such as email, first name, and last name, are required by Crossbeam to set up SAML SSO. The instructions below come from Okta initial set up, but can be re-used.
Single sign on URL
Fill in the Single sign on URL in Okta with the Assertion Consumer Service (ACS) URL from your SSO Settings page in Crossbeam.
Audience URI (SP Entity ID)
Fill in the Audience URI (SP Entity ID) in Okta with the Entity ID from your SSO Settings page in Crossbeam.
Default RelayState
Leave blank.
Name ID format
Select EmailAddress
Application username
Select Email
Update application username on
Select Create and update
It should look like this:
You need to configure to map its user metadata into a format that Crossbeam expects.
❗️Important
You will need to follow the spelling and capitalization EXACTLY as listed for the three fields below.
Set up the following attributes:
first (using Okta's user.firstName)
last (using Okta's user.lastName)
email (using Okta's user.email)
Like so:
Click Next.
Set-up steps continued
Set-up steps continued
❗️Important: Follow the Salesforce documentation Salesforce as a SAML Identity Provider before completing the steps below
Add First Name Attribute
After setting up the Connected App to Crossbeam in Salesforce, click on the Crossbeam App
On this page, scroll to the bottom and locate the Custom Attributes section. In the Custom Attributes section, you will click on the button labeled New
In the pop up modal, you will be adding a field mapping (custom attribute in SFDC parlance).
in the Key box, type first
click Insert Field button
In the Insert Field, pop up modal:
select $User> from the field list on the left box
scroll and select First Name from the middle box of attributes
click the Insert Field button and the modal will close
You will return to the first modal now displaying the fields you have added
click Save and the modal will close
You will return to the original Connected App page to repeat the same process to add the last name and email address fields as directed below.
Add Last Name Attribute
On the Connected App page, scroll to the bottom and locate the Custom Attributes section. In the Custom Attributes section, you will click on the button labeled New.
In the Key box, type Last and click the Insert Field button
In the Insert Field modal, select $User> to open a list in the middle box
Scroll and select Last Name from the list of attributes in the middle box
Click the Insert Field button and the modal will close
You will return to the first modal now displaying the fields you have added
Click Save and the Model will close
Add Email Address Attribute
On the Connected App page, scroll to the bottom and locate the Custom Attributes section. In the Custom Attributes section, you will click on the button labeled New.
In the Key box, type emailAddress and click the Insert Field button
In the Insert Field modal, select $User> to open a list in the middle box
Scroll and select Email from the list of attributes in the middle box
Click the Insert Field button and the modal will close
You will return to the first modal now displaying the fields you have added
Click Save and the Modal will close
The Custom Attributes section of the Connected App page will now display the following:
Part 2:
Use the collapsible sections below to require SSO within Crossbeam
Configuring SSO in Crossbeam
Configuring SSO in Crossbeam
From the Settings icon, click Organization Settings, scroll down to Login Options section.
Next, fill in the following fields:
Identity provider Single Sign On URL: This is the URL used to start the log in process.
X.509 certificate: This allows Crossbeam to validate SAML requests from your identity provider.
Click Save Settings when done.
❗️Important
The X.509 Certificate must be in this format:
-----BEGIN CERTIFICATE-----
Paste your signing certificate from your IdP here
-----END CERTIFICATE-----
Here is an example:
Next, enable SAML SSO by toggling on the enable option:
Enforcing SSO Log In
Enforcing SSO Log In
To enforce SSO log in, select Enable SAML SSO & Require SSO
SSO Exception User
SSO Exception User
When OAuth (Open Authentication) is required from external applications, you will need to establish an SSO Exception User with Crossbeam to complete the integration. This also gives the option to exclude users from being required to log in via SSO. We recommend including anyone who cannot log in via SSO, or any additional users who can still access Crossbeam in the event of an identity provider failure
✍️ Note
Any existing users will be removed from Crossbeam unless you enter them into the SSO Login Exceptions box. They will need to login via SSO method to be re-added to the account.
Pre-Provision SSO Users
Pre-Provision SSO Users
SSO-enabled organizations can pre-provision users from the Invite user modal, located under the Setting Icon & click Team. If SSO is allowed, toggle on Pre-Register using SSO for SSO login. If SSO is required, the toggle will be set to on and unable to be adjusted.
Invited users retain their specified seats and roles when they log in via SSO.
Click Send invites when done.
Just-in-Time (JIT) Provisioning
Just-in-Time (JIT) Provisioning
New teammates can add themselves to this workspace if they have the appropriate IdP credentials. Every new user that gains access for the first time via SSO will be given the Seat Type user role set up during SSO.
✍️ Note
Select the drop down arrow in the Full Access Role box to make changes to default role. Role access below
Hit Save Settings to save your SSO configuration.
Full Access seat Roles
Admin: Admins have the highest level of access. Can manage user roles in Crossbeam Core and Crossbeam for Sales
Standard user: manage partnership related features (data sharing, reports, shared lists, and attributing partners. Data Sources, Integrations, and users are view-only.)
Limited user: All features are view only
Sales Seat Roles
Manager: configures Crossbeam for Sales, manages other user's access to Crossbeam for Sales
Standard: full access to Crossbeam for Sales features, make partner requests, use Chrome extension, full access to Crossbeam Copilot, gets alerts, access to lists, access to Deal Navigator, reply to conversations, complete conversations and mark Attribution, does not have Crossbeam Core Access
Limited: full access to Crossbeam for Sales features listed for the Standard role (including access to Crossbeam Copilot), but can not make partner requests or access list, does not have Crossbeam Core Access
Logging into Crossbeam with SSO
Logging into Crossbeam with SSO
Each user can log into Crossbeam via the created "Crossbeam Tile" within your SSO set up
or
To log in to Crossbeam via SSO, you must have the login URL for your organization. It will look something like this:
You can find your specific org's log in on your Settings page:
Visiting that URL should take you to an SSO login landing page in Crossbeam that looks something like this:
If you click
Log in with SAML SSO, you will be taken to your IdP's login page. The following example shows Okta's login page:
Logging into your IdP will then subsequently log you in to Crossbeam.