How to Set Up Single Sign-On (SSO) in Freshservice
Quick Summary
Single Sign-On (SSO) in Freshservice lets your team access the IT service management platform using one set of login credentials — no more juggling multiple passwords. In this guide, you will learn exactly how to configure SSO in Freshservice, which identity providers are supported, and how to troubleshoot the most common issues. Whether you are a system administrator or an IT manager, this step-by-step walkthrough makes the process straightforward.
What Is Freshservice and Why Does SSO Matter?
Freshservice is a cloud-based IT Service Management (ITSM) platform developed by Freshworks. It helps organizations streamline IT support, automate workflows, and manage assets — all from a single, intuitive interface. You can learn more about Freshservice ITSM Software and its full feature set to understand how it fits into your IT ecosystem.
As organizations grow, managing individual logins for every tool becomes a serious burden. Furthermore, weak or reused passwords create security gaps that attackers actively exploit. This is exactly where Single Sign-On solves a critical pain point: employees authenticate once through a central identity provider, then access Freshservice — and other connected tools — without logging in again.
SSO in Freshservice is not just about convenience. It also enforces consistent security policies, simplifies user provisioning, and reduces helpdesk tickets related to forgotten passwords. In short, setting up SSO in Freshservice is one of the most impactful configuration decisions an IT administrator can make.
What Is Single Sign-On (SSO) and How Does It Work in Freshservice?
Single Sign-On is an authentication method that allows users to log in once with a single set of credentials and gain access to multiple applications. Instead of storing a separate username and password for each system, authentication is handled by a trusted Identity Provider (IdP) such as Okta, Azure Active Directory, or Google Workspace.
Which Identity Providers Does Freshservice Support?
Freshservice supports SSO through the SAML 2.0 (Security Assertion Markup Language) protocol, which is the industry standard for exchanging authentication data between an IdP and a Service Provider (SP). The following identity providers work natively with Freshservice:
| Identity Provider | Protocol | Key Benefit |
|---|---|---|
| Microsoft Azure AD | SAML 2.0 / OAuth | Deep Microsoft 365 integration |
| Okta | SAML 2.0 | Enterprise-grade access management |
| Google Workspace | SAML 2.0 / OAuth | Seamless Google ecosystem login |
| OneLogin | SAML 2.0 | Centralized identity management |
| PingFederate | SAML 2.0 | High-availability enterprise deployments |
| Custom SAML IdP | SAML 2.0 | Flexibility for in-house identity systems |
Additionally, Freshservice supports OAuth 2.0 for social login options such as Google and Microsoft. However, SAML 2.0 remains the recommended approach for enterprise deployments because it offers richer attribute mapping and better security control.
What Do You Need Before Setting Up SSO in Freshservice?
Before you dive into the configuration steps, make sure you have the following in place. Skipping any of these requirements will cause the setup to fail or behave unexpectedly.
- A Freshservice account with Admin or Account Admin privileges
- Access to your organization’s Identity Provider admin console (e.g., Azure AD, Okta)
- Your IdP’s SAML metadata file or the specific SSO URL, Entity ID, and X.509 certificate
- A test user account to validate the SSO flow before rolling it out to the entire organization
- DNS access if you plan to configure domain-based routing
It is also worth noting that Freshservice’s SSO configuration lives under the Admin panel, so you must have the right permissions before you start. If you are unsure about your access level, check with your Freshservice account owner first.
How Do You Configure SSO in Freshservice Step by Step?
Now that prerequisites are clear, let us walk through the complete setup process. Freshservice makes SSO configuration accessible through its Admin panel, and the steps below apply to SAML 2.0 — the most widely used protocol for enterprise SSO.
Step 1: How Do You Access the SSO Settings in Freshservice?
- Log in to your Freshservice account as an Admin.
- Click the Admin icon (gear icon) in the left sidebar.
- Scroll down to the Security section.
- Select Single Sign-On (SSO) from the menu.
Once you open the SSO page in Freshservice, you will see two main authentication options: the default Freshservice login and SSO login. You can enable SSO while keeping the default login active during the transition period — a smart move when rolling out SSO to avoid locking users out.
Step 2: How Do You Configure Your Identity Provider for Freshservice?
Before entering details in Freshservice, you need to register Freshservice as a Service Provider in your IdP. The exact steps vary by provider, but the key values you will need from Freshservice are:
| Freshservice Value | Where to Find It | Used In IdP As |
|---|---|---|
| Entity ID / Issuer | SSO settings page in Freshservice Admin | SP Entity ID or Audience URI |
| ACS URL | SSO settings page in Freshservice Admin | Reply URL / Assertion Consumer Service URL |
| Name ID Format | Usually Email Address | NameID Format setting in IdP |
After registering Freshservice in your IdP, your identity provider will generate a SAML metadata XML file or give you individual values: the SSO Login URL, the Logout URL, and the X.509 certificate. Download or copy these — you will need them in the next step.
Step 3: How Do You Enter SAML Details in Freshservice?
Back in the Freshservice SSO settings page, follow these steps to complete the configuration:
- Toggle the SAML SSO switch to Enabled.
- In the SAML Login URL field, enter the SSO Login URL from your IdP.
- In the SAML Logout URL field, enter the Logout URL (optional but recommended).
- Paste your IdP’s X.509 certificate into the Certificate field.
- Set the Name Identifier Format — typically Email Address for most organizations.
- Click Save to apply the settings.
At this point, Freshservice is technically configured for SSO. However, do not roll it out to all users yet — you still need to test it thoroughly with a pilot account.
Step 4: How Do You Test SSO Before Going Live in Freshservice?
Testing is the most critical phase of the setup, and unfortunately it is the one most administrators skip. Freshservice provides a test link directly on the SSO settings page. Use it with a dedicated test account to verify the following:
- The user is redirected to the IdP login page when accessing Freshservice.
- After authenticating with the IdP, the user lands on the correct Freshservice page.
- The user’s name, email, and role map correctly from the IdP attributes.
- Logout works as expected — the session ends cleanly on both sides.
If the test fails, Freshservice typically shows an error message with a code. The most common issue is a certificate mismatch or an incorrect ACS URL — double-check both before retrying.
How Do You Map User Attributes Between Your IdP and Freshservice?
Attribute mapping tells Freshservice how to interpret the data your IdP sends during authentication. Without correct mapping, users may log in successfully but end up with the wrong role or missing profile data.
Freshservice reads the following SAML attributes from your IdP:
| Freshservice Field | Required? | Typical IdP Attribute Name |
|---|---|---|
| Email Address | Yes | email / mail / user.email |
| First Name | Recommended | givenName / user.firstName |
| Last Name | Recommended | surname / user.lastName |
| Department | Optional | department / user.department |
| Phone | Optional | telephoneNumber / user.phone |
Most enterprise IdPs like Azure AD or Okta let you define custom attribute mappings in their application settings. Align these attribute names with what Freshservice expects, and the user profile will populate automatically on first login. This saves significant time compared to manually updating profiles after migration.
How Can You Enable Domain-Based SSO Routing in Freshservice?
Freshservice also supports domain-based routing, which means users who enter an email address on the Freshservice login page are automatically redirected to their organization’s IdP. This is particularly useful when Freshservice is shared across multiple teams or when you want a seamless, branded login experience.
To enable domain-based routing in Freshservice, navigate to the SSO settings and add your company email domain (for example, @yourcompany.com). Once saved, any user who enters an email matching that domain will be redirected directly to your IdP without seeing the Freshservice password field.
This approach also improves security because it prevents users from accidentally using weaker password-based logins, since the SSO redirect happens transparently before the password field even appears.
What Are the Most Common SSO Issues in Freshservice and How Do You Fix Them?
Even with careful setup, SSO can sometimes behave unexpectedly. Fortunately, most issues fall into a small number of categories, and each one has a clear resolution path.
| Issue | Likely Cause | How to Fix |
|---|---|---|
| SAML response invalid | Expired or mismatched certificate | Re-upload the X.509 certificate from your IdP |
| Redirect loop on login | Incorrect ACS URL | Verify the ACS URL matches exactly in both Freshservice and IdP |
| User logged in but wrong role | Attribute mapping error | Check role attribute mapping in IdP application settings |
| Users cannot log out | Logout URL not configured | Add the SAML Logout URL in Freshservice SSO settings |
| SSO works for some users, not others | Users not assigned in IdP | Assign the Freshservice app to all required users/groups in IdP |
If you encounter an issue not covered in the table above, Freshservice’s support documentation and community forums are excellent resources. Moreover, Freshservice provides detailed SAML debug logs that administrators can access to trace exactly where the authentication flow breaks down.
Conclusion: Why Is SSO Setup Worth the Investment in Freshservice?
Setting up Single Sign-On in Freshservice is a one-time configuration effort that pays dividends every single day. Your team logs in faster, your IT helpdesk handles fewer password reset requests, and your security posture improves because authentication follows a single, audited path through your identity provider.
Freshservice makes the SSO configuration accessible even for administrators who are new to SAML-based authentication. The step-by-step process — accessing SSO settings, registering Freshservice in your IdP, entering SAML details, mapping attributes, and testing — is logical and well-documented within the platform itself.
As your organization scales, having SSO in place also makes user provisioning and deprovisioning dramatically simpler. When an employee leaves, you deactivate their account in your IdP and they instantly lose access to Freshservice — no manual cleanup required. That level of control is exactly what modern IT teams need. If you are evaluating whether Freshservice is the right fit for your organization, explore the full capabilities of Freshservice ITSM Software to see how SSO fits into its broader security and workflow ecosystem.
Frequently Asked Questions
Yes, Freshservice’s mobile app supports SSO authentication. When users open the mobile app and enter their email, the app detects the configured SSO domain and redirects them to the IdP login page — exactly like the web experience. This means your mobile workforce benefits from the same streamlined, secure login without any additional configuration on the mobile side.
Not automatically. Freshservice lets you run both authentication methods simultaneously, which is useful during a phased rollout. Once you are confident that all users can log in via SSO without issues, you can disable the default password-based login in the SSO settings. Administrators typically retain an emergency bypass option, so make sure at least one admin account is tested thoroughly before locking down the default login entirely.
Yes, Freshservice supports SCIM (System for Cross-domain Identity Management) provisioning, which works alongside SSO to automate user lifecycle management. With SCIM enabled, your IdP can automatically create, update, and deactivate user accounts in Freshservice based on changes in your directory — such as new hires, role changes, or departures. This combination of SSO and SCIM gives IT teams full control over the identity lifecycle without any manual intervention in Freshservice.
