Let your team sign in
with the account they already have.

§ 00What SAML SSO is

SAML SSO connects EasyLiveChat to the identity provider your company already runs — Okta, Microsoft Entra, Google Workspace, or any other SAML 2.0 IdP. When an agent clicks the EasyLiveChat tile in their IdP dashboard (or visits a bookmark), they bounce to the IdP, sign in there with the password they already use for everything else, and land back on the EasyLiveChat inbox. No EasyLiveChat password is ever typed.

If you've ever clicked “Sign in with Google” on a website, you've used the consumer version of this pattern. SAML is the corporate equivalent — the website (us) trusts whatever the identity provider (your Okta / Microsoft / Google) says about who the user is.

EasyLiveChat never runs the identity provider. You bring your own. We provide the receiving end.

§ 01Plan availability

SAML SSO is an Enterprise feature. It also unlocks during the 14-day Free trial so you can evaluate the setup before deciding.

§ 02Values to give your IdP admin

These are the EasyLiveChat-side identifiers your IdP needs to know about. Replace <slug> with your workspace slug. The /settings/sso page surfaces all of them with copy buttons.

Most IdPs can also import an XML metadata document directly — the metadata URL is the same as the entity ID and returns the XML our backend builds.

§ 03Setting up Okta

These steps assume you have admin access to your Okta workspace. The Okta dev tier is free and works for evaluation.

1. Sign into the Okta admin panel → Applications → Create App Integration → SAML 2.0.
2. Name the app (e.g. “EasyLiveChat”) and click Next.
3. On the Configure SAML step, fill these fields from your EasyLiveChat /settings/sso page:
   • Single sign-on URL → the ACS URL we gave you.
   • Check “Use this for Recipient URL and Destination URL”.
   • Audience URI (SP Entity ID) → the entity ID we gave you.
   • Name ID format → EmailAddress.
   • Application username → Email.
   • Attribute Statements → add one row: email → user.email — Name format Basic.
4. Click Next → “I'm an Okta customer adding an internal app” → Finish.
5. On the new app's Sign On tab → “View SAML setup instructions”. Copy the IdP Single Sign-On URL, the IdP Issuer, and the X.509 Certificate (in PEM form, with BEGIN/END markers).
6. Assign the app to users whose emails match existing agents in your EasyLiveChat workspace (People → Assignments).

§ 04Setting up Microsoft Entra (Azure AD)

These steps assume you have a Global Administrator or Application Administrator role in Microsoft Entra.

1. Entra admin → Enterprise applications → New application → Create your own application → name it (e.g. “EasyLiveChat”) → Non-gallery app.
2. Open the new app → Single sign-on → SAML.
3. Basic SAML Configuration → set Identifier (Entity ID) and Reply URL (ACS) to the values from your EasyLiveChat /settings/sso page.
4. Attributes & Claims → make sure there's a claim that carries the user's email. Either rely on the default emailaddress claim and paste its URI into EasyLiveChat's “Email claim” field, or add a new claim called email with value user.mail.
5. SAML Signing Certificate → download the “Certificate (Base64)” .cer file. Open it in a text editor and copy the full PEM content (including BEGIN/END markers) into EasyLiveChat's signing-certificate field.
6. Under “Set up <app name>”, copy the Login URL (→ IdP entry URL in EasyLiveChat) and the Microsoft Entra Identifier (→ IdP issuer). Assign users via Users and groups.

§ 05Setting up Google Workspace

These steps assume you're a Workspace Super Admin.

1. Google admin → Apps → Web and mobile apps → Add app → Add custom SAML app. Give it a name like “EasyLiveChat”.
2. On the IdP details step, download the X.509 certificate and copy the SSO URL and Entity ID.
3. On the Service provider details step, paste in the ACS URL and Entity ID from your EasyLiveChat /settings/sso page. Set Name ID format to EMAIL and Name ID to Basic Information > Primary email.
4. Attribute mapping → map Primary email → app attribute email.
5. Finish, then turn the app ON for the org unit whose users should be able to sign in. Save the cert + URLs in EasyLiveChat.

§ 06Configure in EasyLiveChat

Open https://app.livechattools.com/settings/sso. and paste the four values you just collected from your IdP:

• IdP entry URL — The single sign-on URL the IdP gave you (e.g. https://yourcompany.okta.com/app/exk.../sso/saml).
• IdP issuer — The IdP's entity identifier (sometimes called Issuer URL or Entity ID on the IdP side).
• IdP signing certificate (PEM) — Paste the X.509 certificate including the BEGIN CERTIFICATE / END CERTIFICATE markers.
• Email claim (optional) — Leave blank to use the NameID. Paste a claim URI if your IdP sends the email under a specific attribute name.

Click Save. The status badge flips to CONFIGURED and the SP-initiated login URL appears at the bottom of the page.

§ 07How agents sign in

Two paths — both end at the same place (your inbox), authenticated with a fresh session token.

• SP-initiated — Send agents to https://api.livechattools.com/api/saml/<slug>/login. This bookmark-friendly URL bounces them to your IdP and back.
• IdP-initiated — Agents click the EasyLiveChat tile from their IdP's app dashboard (Okta dashboard, Microsoft 365 app launcher, Google Workspace app launcher). They land directly on the EasyLiveChat inbox.

§ 08Agent matching

EasyLiveChat matches the SAML user to an existing Agent row by email — the user the IdP authenticates must already exist as an agent in your workspace. We don't auto-create agents on first SSO login (no “just-in-time” provisioning yet) so that SSO doesn't sidestep your team's invite governance.

If the SAML user has no matching agent, the callback redirects back to the EasyLiveChat login page with reason=agent_not_found. Invite the user through Settings → Team with the exact email the IdP sends, then retry.

§ 09Troubleshooting

If a login fails, EasyLiveChat redirects to /login?saml_error=1&reason=<code>. The code tells you what went wrong: