SSO and DS login methods are available on the Nutshell Sales Enterprise plan. At least 5 licenses are required to set up SSO and at least 10 licenses are required to set up DS.
If you’re an Enterprise customer, Nutshell’s single sign-on (SSO) and directory sync (DS) options can help your team log in faster—and give your IT team more control over account access. Instead of creating separate Nutshell passwords for each teammate, your company can manage login access from a single identity provider or directory service.
SSO uses the SAML 2.0 protocol and requires some technical setup, so your IT team may need to get involved. Once it’s configured, your team will be able to log in to Nutshell using their existing company credentials. With DS configured, your company can use its directory service to manage users and enforce data access.
Setting up SSO in Nutshell
Only admin users in Nutshell can set up single sign-on, and they should also have admin access to their organization’s identity provider. Your company must also have a custom domain name configured to set up SSO.
Head to Settings > Security
Scroll to the Single sign-on section
Click Configure
Choose your identity provider
Once you click Configure, you’ll be prompted to select your identity provider from a list of supported options. Nutshell supports several major platforms, including:
Okta
Entra ID (Azure AD)
Google Workspace
And more
After you choose your provider, follow the step-by-step instructions provided to complete your setup. The exact steps differ between identity providers, but some common setup steps include:
Creating a new application within your identity provider to represent Nutshell
Linking your identity provider
Configuring the users you want to utilize SSO
Domain verification with your domain provider
The last step is to do a test login, which is necessary to ensure everything is configured correctly inside Nutshell. Once SSO is configured, you’ll see a full SSO section on the security page.
Logging in with SSO
Once you’ve configured SSO for your team, any users who attempt to log in will be prompted to do so using SSO and blocked from using other methods. If the user is exempt or SSO is not required, they can proceed with entering their password.
Disabling SSO
If your organization would like to disable SSO, an admin user who is exempt from SSO can do so from the security page’s Single sign-on section. If directory sync is also enabled for your company, you must disable it before disabling SSO. Note that if you disable SSO and wish to set it up again, you must repeat the entire setup process.
Setting up DS in Nutshell
To set up DS, you must already have SSO configured.
Head to Settings > Security
Scroll to the Directory sync settings section
Click Configure
You can then link your external directory to Nutshell. You’ll also see an admin portal like the one used for SSO that will guide you through the linking process and eventually prompt a test login, which is critical for ensuring DS configuration in Nutshell.
Syncing your data in Nutshell
With DS set up, there are a few ways to sync data in Nutshell. Data will automatically sync once setup is complete and every 15 minutes afterward. You can also sync manually from the Directory sync settings section of the security page. Changes to external directories will be processed as soon as Nutshell has access to them, typically after a few minutes.
Understanding user management
Nutshell users can either be Nutshell-managed or Directory sync-managed. Directory sync managed users have a few restrictions that regular Nutshell managed users do not. These restrictions include:
Admins cannot remove Directory sync managed users directly from Nutshell—they must do so from the synced directory.
With DS configured, the users table in Settings will filter users by who is managing them. A new Unmanaged users section will show users who are not managed by an external directory.
When new users are created via DS, they will initially have an unlicensed status. Unlicensed users must be assigned a license within Nutshell before they can log in.
Updates to a user’s first name, last name, or email within the external directory will show up in Nutshell. Emails will never be removed, only added.
Directory sync managed users will receive updates when their external directory user is changed.
If a user is deleted from an external directory, the user will be marked as Nutshell-managed and lose their Nutshell licenses.
Disabling DS
Directory sync can be disabled by an admin at any time via the Directory sync section on the security page. Upon disabling DS, any Directory sync managed users will revert to Nutshell managed users, and full control of their management will return to the account. If the external directory is deleted, DS will automatically be disabled.
FAQs
Do all my team members have to use SSO once configured?
When setting up SSO, your organization can choose to make some users exempt. These users will be able to log into Nutshell using any valid method they choose. Nutshell requires that at least one admin be exempt from SSO at all times, to prevent situations where no one is able to sign in. The last exempt admin cannot be deleted, have its licenses removed, or have its role changed.
Are SSO and DS supported in the Nutshell mobile apps?
To support your company’s security goals, we’ve updated the Nutshell iOS and Android mobile apps to support SSO logins. Now when SSO-configured users open their Nutshell mobile app, they’ll be prompted to log in using SSO.