How to Enable SSO for Crosschq
Enabling SSO with Crosschq
Crosschq provides your users with the ability to sign in via Single Sign-On (SSO). With SSO enabled, your users will be able to access your organization’s Crosschq account through your Identity Provider (IdP).
Which IdP/SSO providers are compatible with Crosschq?
Crosschq currently provides support for Okta with an out-of-the-box integration. If you are using another IdP, please contact email@example.com.
What is the process for setting up a Crosschq integration with Okta?
A user with administrator permission can manage and configure SSO settings to enable Okta Single Sign-On directly in your Crosschq account. The integration requires Okta’s Identity Provider Issuer key, found in your Okta application.
Initially, your organization should soft-enable SSO. This will put your Crosschq account in a hybrid state in which users can log in either using SSO or through the regular Crosschq login page using an email address and password. This allows your organization to test SSO without inadvertently locking out users if there’s a problem with the setup.
Once your organization has confirmed SSO is behaving as expected, you can flip the switch within Crosschq to fully enable SSO. At that point, SSO is your organization’s only way of logging into Crosschq.
There are a few things to be aware of before configuring SSO for your account.
When a user who does not already exist in your Crosschq account logs in for the first time via SSO, we will automatically create a Crosschq account for them, and we will give them Viewer permissions (this is the lowest level of account permissions in the application). You can change permissions later within Crosschq if needed.
Users who have existing Crosschq accounts need to log in via SSO using their existing Crosschq email address. If a user logs in with an email address that we do not recognize, we will create a new account for them, which could lead to users having multiple Crosschq accounts.
To prevent that issue, if your users’ SSO email addresses do not match their Crosschq email addresses, be sure to add and verify their SSO email addresses to Crosschq before they attempt to log in via SSO.
If any members of your team inadvertently create duplicate Crosschq user accounts, please reach out to firstname.lastname@example.org for assistance resolving the issue.
Once SSO is fully enabled for your organization's Crosschq account we will completely remove any existing Crosschq passwords from our database. If you decide at a later date to remove the SSO integration, all users will need to reset their passwords.
Deactivating a user in Okta does not deactivate their user account in Crosschq. Crosschq user sessions are set to expire at 24 hours, so a user may still be able to access Crosschq for up to that period of time once being removed from Okta. To immediately prevent users from being able to log into Crosschq, we recommend deactivating the user account in Crosschq at the same time you deactivate a user in Okta.
How to Configure SSO with Okta?
To configure Okta in Crosschq, login to Crosschq as an administrator. Select Organization Settings > Security > Authentication > Select Begin Configuration.
Then within your Okta application, select Applications > Crosschq > Select Sign-On and click View Set-Up Instructions.
Within the instructions, copy the Identity Provider Metadata URL
Then enable the following checkboxes:
Update the Okta configuration to use email. Navigate back to the Crosschq application and paste the Identity Provider Metadata URL in the Okta Identity Provider Issuer section and click Save Changes. updated the Okta config to use email
Next, switch your account to soft-enable mode to begin testing your SSO configuration.
To switch to soft-enable mode, select save changes after pasting the Okta IdP Issuer > then in the pop-up window select Soft Enable SSO.
We recommend keeping your account in a soft-enabled state only as long as is necessary to test SSO functionality. While you are in this soft-enabled state, you will see your Single Sign-On Status reflected as “In testing”.
Note: Once you begin testing your SSO configuration, users will have the option to log into Crosschq either using Okta or using a Crosschq password. Users who do not have a Crosschq password may set one by clicking the Forgot Password button on the Crosschq login page. Once you have confirmed all users can log in via SSO, you can require all users to log in using SSO moving forward by finalizing your SSO configuration.
In soft enabled mode, users can authenticate either via SSO or with their username and password for Crosschq, However, users cannot switch back and forth. Once a user has logged in via SSO they can only use SSO going forward.
Once the organization hard enables SSO, ALL users must use SSO to authenticate.
If a new user has an Okta account but not a Crosschq account, Crosschq will create a Crosschq user account for them automatically the first time they log in via Okta. The user account will be created with Viewer permissions. Administrators can still invite users and change permissions in Crosschq using our existing process.
Finalize Configuration and Move to Fully Enabled State
Once your team has confirmed users can log in via SSO without issue, return to the Security Settings and check the box to make SSO Mandatory to log in to move to a fully enabled mode.
Then within the pop-up window, select the button to fully enable SSO.
Your Single Sign-On Status will update to Configured.
Note: Once your team hard-enables SSO, all user passwords will be deleted from Crosschq and cannot be recovered. Should your team remove its SSO configuration in the future, every user must request a password reset email and create a new password to regain access to Crosschq.
Signing into Crosschq with Okta
Once you've enabled Okta for your organization here are the steps to sign in with Okta.
On your Crosschq login page, click the login with SSO link
Enter in your email and click sign in with Okta. Then you will be logged in to Crosschq via SSO.