Skip to main content
All CollectionsCanny IntegrationsAuthentication Tools
OneLogin integration
OneLogin integration

Manage your team’s SSO access to Canny using OneLogin

Jacques Reulet avatar
Written by Jacques Reulet
Updated over a month ago

Overview

Allow your teammates one-click login access to Canny and automatically provision and deprovision your OneLogin users as admin members of your Canny workspace.

Benefits

  • Manage access securely and automatically via OneLogin single sign-on (SSO)

  • Easy login access for your team

How to set up OneLogin

Before you begin

  1. OneLogin is only available on the Business plan in Canny. Just start a chat or email sales@canny.io to get a quote!

  2. Owner-level admin permissions in Canny are required to connect the integration

  3. You will also need to be an admin in OneLogin

Connecting the integration

  1. First you’ll need to install the Canny app within your OneLogin organization. In OneLogin, go to the Applications tab and then click Add App. Search for "canny" and then click our app to begin the installation process:

  2. Next you'll see the initial configuration page like below. Make sure the "Visible in portal" toggle is enabled so that employees that are granted access to Canny will be able to see the one-click button in their OneLogin portal. Click Save to continue.

  3. Open a new browser tab and go to the OneLogin settings page in your Canny settings

  4. On that page, click the Generate SCIM Token button and copy the SCIM Bearer Token:


  5. Go back to OneLogin go to the app Configuration settings for Canny.

  6. Paste the SCIM Bearer Token into the corresponding field and click Enable. Then hit Save.

  7. Next go to the Parameters settings and ensure that it looks like the screenshot below. Most importantly, the Email field must be the OneLogin user's email address which must be unique across the entire company:

  8. Go to the Provisioning tab and toggle "Enable provisioning" on. Make sure that you configure the delete user action to be either "Delete" or "Suspend" so that the user is properly removed from your Canny company. Click Save to finish this step.

  9. Go to the SSO tab. From here, you’ll copy the Client ID, Client Secret, and the Issuer URL domain and paste them into the corresponding fields in the OneLogin settings page in your Canny settings:

  10. Go back to the OneLogin configuration tab and update the Login URL from https://canny.io/api/oneLogin/initiate to https://canny.io/api/oneLogin/initiate?refererDomain=https://your-domain.onelogin.com.

    1. Make sure to update "your-domain" with the Issuer URL domain:

That’s it! You’re now all set to manage user access to Canny via OneLogin. The next section covers that.

Granting Users Access to Canny

Now that you've configured OneLogin provisioning and SSO, you can grant users access to Canny. The steps below will walk you through granting access for a single user. You can use this to verify the entire flow works.

  1. In OneLogin, go to a user and enable the Canny application for them. Click Continue:

  2. Make sure "Allow the user to sign in" is enabled and then click Save:

  3. Finally, this user can now access the Canny app from their OneLogin dashboard. Once they click Canny, a new tab will open and they'll automatically be logged into their Canny account:

Provisioning Roles

Finally, for Canny business customers, we also support provisioning users with a default admin role.

  1. In OneLogin, navigate to the Canny application, go to Rules, and click Add rule:

  2. From here you can select conditions and then define actions. For example, anyone in a specific group can be assigned a role. Just select the condition(s) and define the action(s):

    Conditions in OneLogin can be based off of Roles, Departments, Titles, etc. In the above example, you can see it’s based on a OneLogin Group called "Project Managers".

    For Actions, use the Set Role (SCIM) in Canny dropdown to set the role in Canny. Then use the - Macro - option and manually define the role in the text field. It must match the role label in Canny.

    1. Owner

    2. Manager

    3. Contributor

    4. If you have a custom role set up, just put in the label you have set up in the Admins page in your Canny settings:

      The default role is Owner, so if that is left blank, that user will default to Owner-level permissions. If you provide an invalid role (i.e. one that does not match with an existing role in Canny), the user will not be provisioned.

  3. Finally, try provisioning a user in the Project Managers group then go to your Canny Admins settings page to confirm they've been added to your team with the correct role!

Things to note:

  • Provisioning Owner/Manager admin seats (or custom roles) may affect your billing. Please be cautious when provisioning users in bulk. Learn more

  • OneLogin is available only on the Business plan. Just start a chat or email sales@canny.io to get a quote!

  • OneLogin uses OIDC under the hood.

Related Articles:

Did this answer your question?