Simplify the sign-on & provisioning process for your Enterprise team. ⚙️
Migrating from our old SSO setup? Check out this migration guide.
Loom provides single sign-on (SSO) for Enterprise users to simplify the user sign-in and provisioning process and allow access to Loom using a wide range of authentication sources. Your Workspace must be subscribed to the Enterprise plan if you wish to set up SSO & provisioning
This guide will walk you through the following steps:
Before you can configure SSO or Directory sync, an Admin will need to add domains you want to authorize. Here is how you can do this:
- Go to your Workspace settings by clicking on Settings in the left navigation bar of your Library.
- Open the Security tab and you will see the Authorize Domains section to add the domains you want to authorize.
- You can use one of two verification methods: either via email to specific inboxes in the domain or via adding a DNS TXT record to your domain (steps here). If you choose to email, you need to choose destinations to send a verification email (e.g. firstname.lastname@example.org). After adding the domains, you'll see that they're listed as pending validation.
⚠️ Please check to make sure that there are no users with outside domains already invited to your Workspace. If there are any existing members of your Workspace with domains other than domain.com, they'll be blocked from logging into Loom.
- Check the email you listed as the destination for your verification email in the prior step. You should receive a message from Loom verifying the domain. ✅
- After verifying the domain, you'll see that your domain is now verified in your Loom security settings and listed as an authorized domain.
Before configuring SSO, please check to make sure that there are no users with outside domains already invited to your Workspace. If there are any existing members of your Workspace with domains other than domain.com, they'll be blocked from logging into Loom once SSO is enabled.
An Admin can configure SSO following the steps below:
- Go to the Security tab in your Workspace settings by clicking on Settings in the left navigation bar of your Library.
- You will see the SSO & Directory Sync section. At least one domain must be authorized before you can proceed.
- Click on the Configure SSO button and you will be guided through a step-by-step process to set up SSO.
- Once SSO is set up you will be able to set the Default role for newly provisioned users in the Security tab as seen in the screenshot above. You are also able to manage user roles using your IdP groups, as detailed in the section: Configuration Directory Sync (SCIM).
- If you want to ensure that your SSO configuration is working correctly before enforcing SSO on your users, you can use the Enforce SSO setting. You can keep the setting toggled off while you are testing & troubleshooting, so that users can continue signing onto Loom uninterrupted using their email and password.
If any users were accessing this workspace prior to configuring SSO, please instruct them to log out of their current Loom session and log back in again via SSO. Once SSO is configured, they will not be recognized as a workspace member until they log back in via SSO. We recommend communicating this to your workspace members as soon as SSO is live to avoid any interruptions in access/sharing.
Domain Capture determines how the workspace membership for signed-up users within your verified domain(s) is managed once you enable SSO. It can ensure users with your domain join your workspace.
⚠️ If you have Directory Sync enabled, account provisioning will occur automatically when you add a user to your directory that is connected to Loom.
- Go to the Security tab in your Workspace settings by clicking on Settings in the left navigation bar of your Library. You must have SSO enabled in order to see the Domain Capture settings at the very bottom.
- There are two options:
- Off: New users within your domain(s) with Loom accounts will not be automatically added to your Enterprise workspace. Instead, they will have a free account outside of your Enterprise workspace and you will not be able to manage their account unless you invite them or directly provision an account for them via SCIM.
- Capture new users in my domain (default setting): All users within your domain(s) will automatically join your Enterprise workspace. If there are existing Loom users that belong to their own Starter or Business workspace, they will be added to your Enterprise workspace as an additional workspace. You can ask them to transfer their content to the Enterprise workspace using these steps.
- Once you have made your preferred changes, click Save.
Configuring Directory Sync (SCIM)
SCIM enables changes made in the IdP to be immediately pushed to Loom. Instead of waiting for a user to attempt to log in and then provisioning them Just in Time, we provision them the moment they are added to the Loom app in their IdP. Likewise, when users are deactivated in the IdP and SCIM is turned on, they will immediately be deactivated in Loom (without SCIM, users aren’t technically deactivated until they attempt to log in again).
Once you have configured SSO following the instructions above, you can configure SCIM by following the steps below.
Important NoteThe WorkOS setup guide will tell you to create a separate app for SCIM, as it does not assume that you use the same IdP as your SSO provider. It is not necessary to create a separate SCIM app - we have included the steps for Okta below if you want to use the app you created for SSO.
Open your Workspace settings and visit the Security tab. Then click on Configure Directory Sync and you will be guided through a step-by-step process to set up Directory sync.
⚠️ We highly recommend reading through the steps below so you know what to look out for, instead of relying solely on the WorkOS setup guide.
For Okta customers who want to use the same app for both SSO & SCIM:
In Step 1: Create Okta Application, do not create a new app. Instead, go to the app you created for SSO and go to General, then Edit and select Enable SCIM provisioning as your provisioning option. Click Save.
- In the WorkOS setup console, you can now proceed to Step 2: Configure Okta API Integration. Scroll down until you see the Endpoint and Bearer Token.
- You will copy these into your Okta app. Go to the Provisioning tab, then click on Integration in the side bar and click Edit.
- Fill out the fields as shown in the screenshot above: Paste the base URL from the WorkOS setup guide into the SCIM connector base URL field. For Unique identifier field for users, set to "email". Check the Push New Users, Push Profile Updates, and Push Groups (if desired). For Authentication Mode, select HTTP Header and paste the Bearer Token from the WorkOS set up to the field. Click Save.
⚠️ You must use set Unique identifier field for users to "email" for provisioning to work if you want to use the same app for both SSO & SCIM.
- In Step 1: Create Okta Application, do not create a new app. Instead, go to the app you created for SSO and go to General, then Edit and select Enable SCIM provisioning as your provisioning option. Click Save.
In Step 3. Set up Attribute Mapping, you will see that we support a custom attribute called 'loomMemberRole'. This optional custom attribute allows an IT admin to set the user’s Loom role from within the IdP. Please note that not all IdPs support group-level attributes.
That attribute can only have the following attributes (strings):The default value is useful for migrating to managing roles in the Idp. The Default value will keep the user’s role as it is in Loom, or if the user is new, it will assume the “Default user role” as configured in the SSO setup steps above. Once changed to creator, viewer, or admin, this role should no longer be necessary.
See below for an example of setting this attribute in Okta:
Note: If the attribute needs to be created from scratch, use the name below as the external namespace.
- Follow the remaining steps in the WorkOS setup guide to complete setup.
💡 Recommendation for Okta customersWhen onboarding users to SCIM for the first time, we recommend onboarding everyone as Default, then creating specific groups for the roles (creator, viewer, or admin). Then assign these groups in a higher priority than the default one, and move the users to the appropriate group.
What to keep in mind when managing roles through Okta groups?
- You can manage custom attributes per group, so we often recommend IT admins to create 3 groups: Loom Creators, Loom Viewers, and Loom Admins.
- In Okta, priorities matter, so if a user is a member of Loom Creators and Loom Admins, make sure to have Loom Admins above in priority than Loom Creators so Admin takes precedence.
- When a user is added to, say, the Loom Creators group, they not only get assigned the Loom app but they automatically get the Creator role, regardless of what is the Default User Role.
You can choose what happens to a user in Loom upon SCIM de-provisioning to ensure their content is retained upon leaving your company.
Open your Workspace settings and visit the Security tab. Scroll down to Member Deprovisioning.
- By default, the setting will be set to Deactivate. When the member is deactivated via SCIM, they can no longer log into Loom and their content remains associated with the deactivated account. Posted content remains accessible, and all other content remain accessible via links.
- Alternatively, you can choose to Delete the user from the workspace. Upon deletion, you can choose to either transfer their content or delete their content.
- If you choose Transfer content to another member, you will need to select a Admin or Creator as the target user to transfer the content to. Upon transferring, all of the deleted user's content (posted & unposted) will appear in a folder in the target user's library as: [Email address] - [User name]'s content.
Note: If at any point SCIM attempts to deactivate or demote a target user to a Viewer, the attempt to deactivate will fail and we will send you an email notification letting you know that you need to choose a new target user. Please ensure that you re-attempt deactivation from your IdP side after you have switched the target user.
- If you choose Delete content, you will be deleting all of the member's content. Please proceed with caution as any deletion is not reversible.
No, approved domain settings only work with non-public domains. If your domain is Gmail, Yahoo, Outlook, or a similar public domain, you won't have this option.
Yes. Your approved domains list will depend on the domains of the people in your Workspace.
At this time, you will not be able to remove a domain. If you have multiple domains or recently changed your domain and need one deleted, please contact our support team and we'll do our best to assist.
Questions, comments, concerns? Contact us here.
Happy recording! 🎥 😄