Integrating with SAML2 Single Sign-On
Customers using SAML 2.0-enabled versions of Microsoft Entra ID and Google Workspace can provide their ChurchSuite users with a Single Sign-On (SSO) experience, allowing them to access ChurchSuite using their existing Entra ID or Google credentials. Email support@churchsuite.com to request the SAML2 integration be enabled on your ChurchSuite account, and then follow the instructions in this article to complete the integration process.
In this article
Introduction and intended functionality
Completing the Microsoft SAML2 integration
Enabling SSO for ChurchSuite users
Introduction and intended functionality
Organisations using SAML2-enabled versions of Microsoft Entra ID and Google Workspace can provide their ChurchSuite users with a secure Single Sign-On (SSO) experience, allowing them to log in to ChurchSuite using their existing Entra ID or Google credentials.
Changes made to SAML2 service user permissions do not apply to ChurchSuite. Your ChurchSuite account has its own administrator-managed user permissions for modules and sites, which are managed on a user-by-user basis within ChurchSuite. Similarly, the distinction between Administrators and Users in ChurchSuite is unrelated to the level of service user permissions set within Microsoft Entra ID or Google Workspace. However, when a service user's access is revoked in a SAML 2 service, that SSO-enabled user will no longer be able to access ChurchSuite; nevertheless, you may want to archive (or, with caution, delete) their ChurchSuite user profile as a separate task. See our related support article on Adding and managing users for further information.
When SAML2 SSO is enabled for a ChurchSuite user, their username and password are disabled to prevent use. Additionally, the ChurchSuite password change/reset workflows and multi-factor authentication are disabled and bypassed for that user. An SSO-enabled user is also prevented from changing their ChurchSuite user email address.
SAML2 SSO can only be disabled in ChurchSuite by an Administrator. Resetting the SAML2 integration will disable SSO for all users. When SAML2 SSO is disabled, a user's previous ChurchSuite username and password are reactivated. A password reset request can be sent to encourage users to secure their user account with a new password and enable multi-factor authentication.
Completing the SAML2 integration
Completion of the SAML2 integration assumes familiarity with the advanced configuration settings of your SAML2 service.
From the Integrations section of your Account Settings, click SAML2:
Click Edit.
On the Edit pop-up, select the SAML Service. The other settings will change to reflect the selected Service. Rather than manually populating responses into the integration fields, you can optionally upload a metadata XML file that will automatically populate the form. This method is recommended and minimises the risk of mistakes, which will lead to the integration failing.
If you choose Microsoft Entra ID...
Enter the Entra Identifier, Login URL and Certificate application details:
Next, copy the Reply URL and Entity Identifier details back into your Microsoft Entra ID SAML configuration section. Click Save.
If you choose Google...
Enter the Entity ID, SSO URL and Certificate application details:
Next, copy the ACS URL and Entity ID details back into your Google Workspace SAML configuration section and click Save.
Next...
Once the integration settings are correctly configured, you can begin enabling SAML2 SSO for your ChurchSuite users, as explained in the next section.
Enabling SSO for ChurchSuite users
From a user profile:
Working within the Users section of your Account Settings, select Enable SAML2 SSO from a user's profile.
You must verify that the user's email address matches an active SAML2 service user; otherwise, they will be unable to log in to ChurchSuite. Once you are happy, tick the confirmation checkbox and click Save.
The user profile updates to show that Single sign-on is active. Note the option to Disable SAML2 SSO.
From the Users list:
Using the bulk Actions, you can enable and disable SAML2 SSO for multiple selected users within the Users section of your Account Settings.
First, ensure that each selected user's email address matches an active SAML2 service user's email address; otherwise, users will be unable to access ChurchSuite. Once you are happy, tick the confirmation checkbox and click Save to apply the changes to the selected users.
An icon in the Users section distinguishes SSO-enabled users:
The Advanced Search can be used to filter and see just those users with SSO enabled or disabled:
Once SSO is enabled for a ChurchSuite user, any previously set ChurchSuite username and user password are disabled to prevent use. An 'SSO Enabled' notification is sent to the user, shown in the user's communication log, and a user change log is added. An SSO-enabled user is prevented from changing their user email address. Additionally, the ChurchSuite password change/reset actions and multi-factor authentication functionality are disabled and bypassed for that user.
When an SSO-enabled user next logs in, they can access ChurchSuite by clicking Continue with Microsoft Entra ID or Continue with Google:
Disabling SSO
SSO can only be disabled for a user by a ChurchSuite Administrator. Resetting the SAML2 integration will disable SSO for all users. When SSO is disabled, a "SSO Disabled" notification is sent to the user, displayed in the user's communication log, and a user change log entry is added. The previous ChurchSuite username, user password and password change/reset actions are reactivated for that user. When disabling SSO, a password reset request can be optionally sent to encourage users to secure their ChurchSuite login with a new password and enable multi-factor authentication.