How to configure SSO and Directory Sync (SCIM)

Simplify the sign-on & provisioning process for your Enterprise team. ⚙️

Loom provides single sign-on (SSO) for Enterprise users to simplify the user sign-in and provisioning process and allow access to Loom using a wide range of authentication sources. Your Workspace must be subscribed to the Enterprise plan if you wish to set up SSO & provisioning. 

This guide will walk you through the following steps: 

Domain verification

Before you can configure SSO or Directory sync, an Admin will need to add domains you want to authorize. Here is how you can do this:

  1. Go to your Workspace settings by clicking on Settings in the left navigation bar of your Library.
  2. Open the Security tab and you will see the Authorize Domains section to add the domains you want to authorize.
  3. You can use one of two verification methods: either via email to specific inboxes in the domain or via adding a DNS TXT record to your domain. If you choose to email, you need to choose destinations to send a verification email (e.g. admin@domain.com). After adding the domains, you'll see that they're listed as pending validation.

    ⚠️
    Please check to make sure that there are no users with outside domains already invited to your Workspace. If there are any existing members of your Workspace with domains other than domain.com, they'll be blocked from logging into Loom.
  4. Check the email you listed as the destination for your verification email in the prior step. You should receive a message from Loom verifying the domain. ✅
  5. After verifying the domain, you'll see that your domain is now verified in your Loom security settings and listed as an authorized domain.

    Untitled__5_.png

Configuring SSO

Before configuring SSO, please check to make sure that there are no users with outside domains already invited to your Workspace. If there are any existing members of your Workspace with domains other than domain.com, they'll be blocked from logging into Loom once SSO is enabled.

An Admin can configure SSO following the steps below:

  1. Go to the Security tab in your Workspace settings by clicking on Settings in the left navigation bar of your Library.
  2. You will see the SSO & Directory Sync section. At least one domain must be authorized before you can proceed.
  3. Click on the Configure SSO button and you will be guided through a step-by-step process to set up SSO.

    3EF42614-F5A8-4F09-976B-C0A5436BD65D_4_5005_c.jpeg

  4. Once SSO is set up you will be able to set the Default role for newly provisioned users in the  Security tab as seen in the screenshot above. You are also able to manage user roles using your IdP groups, as detailed in the next section.

Configuring Directory Sync (SCIM)

Once you have configured SSO following the instructions above, you can configure SCIM by following the steps below. 

 ℹ️ Important note

The WorkOS setup guide will tell you to create a separate app for SCIM, as it does not assume that you use the same IdP as your SSO provider. It is not necessary to create a separate SCIM app - we have included the steps for Okta below if you want to use the app you created for SSO. 
  1. Open your Workspace settings and visit the Security tab. Then click on Configure Directory Sync and you will be guided through a step-by-step process to set up Directory sync. 
    ⚠️ We highly recommend reading through the steps below so you know what to look out for, instead of relying solely on the WorkOS setup guide.
  2. For Okta customers who want to use the same app for both SSO & SCIM:
      1. In Step 1: Create Okta Application, do not create a new app. Instead, go to the app you created for SSO and go to General, then Edit and select SCIM as your provisioning option. Click Save.
        okta_set_up_scim.png

      2. In the WorkOS setup console, you can now proceed to Step 2: Configure Okta API Integration. Scroll down until you see the Endpoint and Bearer Token
        workos_step2.png
      3. You will copy these into your Okta app. Go to the Provisioning tab, then click on Integration in the side bar and click Edit
        okta_provisioning_tab.png
      4. Fill out the fields as shown in the screenshot above: Paste the base URL from the WorkOS setup guide into the SCIM connector base URL field. For Unique identifier field for users, set to "email". Check the Push New Users, Push Profile Updates, and Push Groups (if desired). For Authentication Mode, select HTTP Header and paste the Bearer Token from the WorkOS set up to the field. Click Save

        ⚠️ You must use set Unique identifier field for users to "email" for provisioning to work if you want to use the same app for both SSO & SCIM. 
  3. In Step 3. Set up Attribute Mapping, you will see that we support a custom attribute called 'loomMemberRole'. This optional custom attribute allows an IT admin to set the user’s Loom role from within the IdP.

    That attribute can only have the following attributes (strings): Default,Creator,Viewer,Admin

    The Default value is useful for migrating to managing roles in the Idp. The Default value will keep the user’s role as it is in Loom, or if the user is new, it will assume the “Default user role” as configured in the SSO setup steps above. Once changed to creator, viewer, or admin, this role should no longer be necessary. 

    See below for an example of setting this attribute in Okta:

    5B77F67E-6BC1-4380-B1F8-C1338D5B9255_1_105_c.jpeg

    Note: If the attribute needs to be created from scratch, use the name below as the external namespace.
    👉 urn:ietf:params:scim:schemas:core:2.0:User

     

  4. Follow the remaining steps in the WorkOS setup guide to complete setup. 

💡 Recommendation

When onboarding users to SCIM for the first time, we recommend onboarding everyone as Default, then creating specific groups for the roles (creator, viewer, or admin). Then assign these groups in a higher priority than the default one, and move the users to the appropriate group.

 

When managing roles through IdP groups keep in mind the following:

  • You can manage custom attributes per group, so we often recommend IT admins to create 3 groups: Loom Creators, Loom Viewers, and Loom Admins.
  • In Okta, priorities matter, so if a user is a member of Loom Creators and Loom Admins, make sure to have Loom Admins above in priority than Loom Creators so Admin takes precedence.
  • When a user is added to, say, the Loom Creators group, they not only get assigned the Loom app but they automatically get the Creator role, regardless of what is the Default User Role.

FAQ

Does this setting work on all domains? 

No, approved domain settings only work with non-public domains. If your domain is Gmail, Yahoo, Outlook, or a similar public domain, you won't have this option.

Can my Workspace have multiple approved domains?
Yes. Your approved domains list will depend on the domains of the people in your Workspace.
Can I remove a domain from my workspace?
At this time, you will not be able to remove a domain. If you have multiple domains or recently changed your domain and need one deleted, please contact our support team and we'll do our best to assist.

 

Questions, comments, concerns? Contact us here.

Happy recording! 🎥 😄

0 out of 0 found this helpful