You can use Single Sign-on (SSO) to log into your Freshworks account via OpenID Connect. It is an industry-standard supported by identity providers such as Azure Active Directory, Google G-Suite, Okta, and OneLogin.


To learn more about SSO, refer to these articles below.


How does OpenID Connect work? 

OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol, which allows service providers (SP) like Freshworks to verify the identity of a user based on the authentication performed by an identity provider (IdP). We obtain basic profile information about the user in a secure manner, thus allowing us to grant access to the Freshworks application. 

Any change the users make to their account (first name, last name, email) is synced back to their Freshworks profile. The only user data that is necessary for Freshworks is a unique identifier for each user i.e. user's first name, last name, and email. Freshworks doesn't store passwords.


Step-by-step process on how to configure SSO with OpenID Connect

  1. Log in using your organization URL. Click on the 'Security' icon in the sidebar.
  2. Under Security> Agents & Employees > Default Login Methods, you can enable SSO to simplify your users' login experience. 
  3. Choose OpenID Connect as your login protocol and the IdP of your choice.
    Note: Organization Admins are the only ones who can configure SSO. Default login methods are applicable for all users in the organization, including admins/agents. If you want to create specific policies for a particular account or portal, configure it under Custom Policies. For contacts, configure any security policies Security > Contacts.
    Note: You can access the Neo Admin Center by opening the Freshworks Switcher and clicking on your organization domain link.
  4. Use the Redirect URL provided by Freshworks in your Identity provider configuration.
  5. You will be presented with the following fields that you need to fill with the information you get from the IdP side:
    • Client ID

    • Client secret

    • Authorization URL (to redirect to the login page of IdP, if not already logged in)

    • Access token URL (to get the user access token)

    • Logout URL (optional - user will be redirected to this page on logout)


Params to be shared 


Name

Description

Sample Value

Minimum requirement

Client Id

Client Id as generated by IdP

xxxx

Required.

Client Secret

Client secret as generated by IdP

xxxx

Required.

Logout Redirect URL

URL where the user should be redirected post logout. 

https://www.freshworks.com

Optional

Login display title

Text that will be displayed on the login button

Login with Awesome Company

Required

Logo URL

Logo to be displayed on the login page. Size should be 36x36 px. Only PNG & SVG is accepted


Optional

Authorization Server Metadata URI



Required

[Not required if Authorization & Token Endpoint is provided]

Authorization Endpoint

URI where the user should be sent to for authorization


Required

[Not required if Authorization Server Metadata URI is provided]

Token Endpoint

Endpoint URI that is used to exchange token


Required

[Not required if Authorization Server Metadata URI is provided]

User Info Endpoint

Endpoint URI that will be used to fetch user info


Optional. If id_token contains entire information, this URL is not needed.

Scopes

Scopes that should be used during authorization call. 

[Not required if metadata URI is provided]

openid email profile phone address

openid email

Claim Id

The claim that holds Id of the user

sub

Required

Claim Email

The claim that holds the email address of the user

email

Required

Claim First Name

The claim that holds the first name of the user

preferred_username

Optional

Claim Middle Name

The claim that holds the middle name of the user

middle_name

Optional

Claim Last Name

The claim that holds the last name of the user

last_name

Optional

Claim Phone

The claim that holds the phone number of the user

phone_number

Optional

Claim Mobile 

The claim that holds the mobile number of the user

mobile

Optional

Claim Locale

The claim that holds the Locale of the user

locale

Optional

Claim Job Title

The claim that holds the job title of the user

job_title

Optional

Claim Company

The claim that holds the company name of the user

company

Optional


Note: Call from Freshworks to the token endpoint has a timeout of 10 seconds.

If you need further assistance, please feel free to write to [email protected] with your queries. We're more than happy to help.