Which Intercom plan do we need for SSO/identity management, and how do we enable it for our agents?
Customer Service Helpdesk

Which Intercom plan do we need for SSO/identity management, and how do we enable it for our agents?

9 min read

Most teams ask about SSO and identity management at exactly the right time—right when support is scaling and governance starts to matter as much as speed. In Intercom, you don’t have to choose between tight login controls and a fast-moving support org, but different capabilities do sit on different plans.

Quick Answer: All Intercom plans support core identity protections like workspace-level 2FA and Google Sign-In. Full SAML SSO with an identity provider (Okta, Azure AD, OneLogin, etc.) is available on Enterprise plans only and is the recommended way to standardize logins for all agents.

The Quick Overview

  • What It Is: Intercom offers multiple identity and access options—standard email/password, Two-Factor Authentication (2FA), Google Sign-In, and SAML Single Sign-On (SSO)—plus login monitoring and alerts.
  • Who It Is For: Support and security leaders who need to protect customer data, enforce consistent login policies for agents, and integrate Intercom with an existing identity provider.
  • Core Problem Solved: Preventing account compromise and inconsistent access as your team grows—so agents can move fast while security teams keep centralized control over who can access the Intercom workspace.

How It Works

Identity management in Intercom is layered. Every workspace gets built-in protections (2FA, Google Sign-In, login protection). On Enterprise, you can integrate Intercom with your Identity Provider (IdP) using SAML SSO, plus SCIM for automated provisioning.

At a high level:

  1. Baseline protections for every plan:
    You can enable 2FA and Google Sign-In, and Intercom continuously monitors login activity to automatically protect teammate accounts when something looks suspicious.

  2. SAML SSO on Enterprise plans:
    You connect Intercom to your IdP (Okta, Azure AD, OneLogin, Google Workspace, etc.), verify your domain, configure SAML, and optionally require SSO for all teammates so they must log in via your IdP.

  3. Centralized governance for agents:
    With SAML SSO (and SCIM, if you enable it), identity and access are driven from your IdP—so onboarding/offboarding, group-based role assignment, and certificate rotation all become standard identity operations instead of one-off admin tasks.

Features & Benefits Breakdown

Core FeatureWhat It DoesPrimary Benefit
Two-Factor Authentication (2FA)Adds a second verification step on login for individual accounts and can be enforced at the workspace level.Reduces account takeover risk—so you can safely let more agents access sensitive customer data.
Google Sign-InLets teammates authenticate to Intercom using their Google Workspace account.Simplifies login and centralizes credential management—so agents have fewer passwords and security teams have fewer gaps.
SAML SSO (Enterprise)Integrates Intercom with your IdP (Okta, Azure AD, OneLogin, etc.), with options to require SSO for all teammates.Brings Intercom under your existing identity and access policies—so security, compliance, and support can all use one system of record for logins.

Ideal Use Cases

  • Best for growing teams on any plan:
    Because you can enable 2FA and Google Sign-In for all agents with minimal setup and immediately harden access without changing workflows.

  • Best for security-conscious or enterprise organizations:
    Because Enterprise SAML SSO and SCIM let you enforce IdP-only login, JIT provisioning, and group-based access controls—so Intercom fits cleanly into your existing identity stack.

Limitations & Considerations

  • SAML SSO is Enterprise-only:
    If your security policy mandates SAML SSO for all tools, you’ll need an Intercom Enterprise plan. On other plans, you can still enforce strong security with 2FA and Google Sign-In, but not full IdP-controlled SSO.

  • Admin permissions required for setup:
    To configure SAML SSO and other security settings in Intercom, a teammate must have the “Can manage general and security settings” permission. You’ll also need admin or security permissions in your Identity Provider to upload certificates and configure the SAML app.

Pricing & Plans

Intercom doesn’t sell identity management as a separate add-on—these capabilities are included based on your plan level:

  • All Plans:

    • Two-Factor Authentication (2FA) for individual accounts.
    • Workspace-level 2FA enforcement for all teammates.
    • Google Sign-In.
    • Continuous login monitoring and automatic protection for suspicious activity.

  • Enterprise Plans Only:

    • SAML Single Sign-On (SSO) integration with IdPs like Okta, Azure AD, OneLogin, Google Workspace, and others.
    • Just-in-Time (JIT) provisioning and SCIM support for centralized user lifecycle management.
    • The ability to require SAML SSO for all teammates, making IdP login the single path into Intercom.

In practice:

  • Standard / non-Enterprise: Best for support teams that want strong security controls with minimal overhead—enforce 2FA, prefer Google Sign-In, and use Intercom’s login protection and notifications.
  • Enterprise: Best for organizations that must bring Intercom into their identity governance program—centralized SAML SSO, SCIM provisioning, and compliance-grade access management.

How to Enable Identity Management for Your Agents

Below is the step-by-step view I’d use rolling this out as an operator.

1. Enable and Enforce 2FA (All Plans)

Step 1 – Ask agents to enable 2FA individually

Each teammate can turn on 2FA for their own account:

  1. Log in to Intercom.
  2. Go to Profile (top-right avatar) > Settings.
  3. Find the Security section.
  4. Enable Two-Factor Authentication (2FA) and follow the on-screen instructions (e.g., set up an authenticator app).

Step 2 – Enforce 2FA at the workspace level

To require 2FA for all teammates:

  1. Log in as an admin with the “Can manage general and security settings” permission.
  2. Go to Settings > Security.
  3. In the Two-Factor Authentication section, enable workspace-level enforcement.
  4. Save changes.

Important: When you enforce 2FA, teammates without 2FA will be prompted to set it up on next login. Communicate this change to avoid lockouts.

2. Enable Google Sign-In (All Plans)

If your org uses Google Workspace, standardize on Google Sign-In first:

  1. From Intercom, go to Settings > Security.
  2. Locate Google Sign-In.
  3. Enable the option to allow (or require) sign-in with Google.
  4. Instruct teammates to choose “Continue with Google” when logging in.

This immediately reduces password sprawl while you plan a possible SAML rollout.

3. Configure SAML SSO with Your Identity Provider (Enterprise Only)

SAML SSO is the most secure and scalable way to control agent access to Intercom.

Prerequisites

  • You’re on an Enterprise Intercom plan.
  • In your IdP (Okta, Azure AD, OneLogin, Google Workspace, etc.), you have admin or security permissions.
  • In Intercom, your account has “Can manage general and security settings”.

Step 1 – Start SAML setup in Intercom

  1. In Intercom, go to Settings > Security.
  2. Find the SAML SSO section.
  3. Click Set up SAML SSO (or similar).

Intercom will display the values you’ll need in your IdP (e.g., ACS URL, Entity ID, and the SP certificate).

Step 2 – Create / configure an app in your IdP

In your Identity Provider:

  1. Create a new SAML application for Intercom (e.g., “Intercom SAML SSO”).
  2. Paste in the ACS URL and Entity ID from Intercom.
  3. Upload Intercom’s Service Provider (SP) certificate.
  4. Configure attribute mappings as recommended (typically including email as the NameID).

Important: Intercom is updating its SP certificate for SAML SSO. You must upload the new certificate to your IdP before December 12, 2026, or SSO access may be interrupted. Follow your IdP’s documentation for certificate rotation.

Step 3 – Verify DNS domain ownership

To ensure only your org can use SAML for your domain:

  1. In Intercom’s SAML settings, follow the instructions to verify your email domain (e.g., by adding a DNS record).
  2. Wait for verification to complete (propagation time depends on your DNS provider).

Step 4 – Test SAML SSO with a pilot group

Before enforcing SSO:

  1. Assign the Intercom SAML app to a small set of test users in your IdP.
  2. Ask them to log out of Intercom and then sign in using the SAML option.
  3. Confirm:
    • Login is successful.
    • Appropriate roles and access are applied.
    • Any SCIM/JIT provisioning behaves as expected.

Note: Keep at least one break-glass admin account that can still access Intercom in case your IdP configuration breaks and you need to troubleshoot.

Step 5 – Require SAML SSO for all teammates (optional but recommended)

Once you’re confident SAML SSO works:

  1. In Intercom, return to Settings > Security > SAML SSO.
  2. Enable the option to require SAML SSO for all teammates.
  3. Save changes.

From this point, your agents will log in via your IdP, and you’ll manage access by adding or removing them from the Intercom app in your IdP.

4. Monitor Login Activity and Notifications

Intercom continuously monitors login activity and automatically protects teammate accounts when suspicious behavior is detected (for example, unusual locations or failed attempts).

As an admin:

  • Encourage teammates to follow instructions in any security or login alerts they receive.
  • Periodically review security-related settings and any notifications about login protection.

If agents are locked out due to 2FA or SSO issues, you can:

  • Help them troubleshoot 2FA delivery issues.
  • Confirm their status and group membership in your IdP.
  • Temporarily relax SSO enforcement (if needed and acceptable to your security policy) while diagnosing IdP configuration issues.

Frequently Asked Questions

Which Intercom plan do we need for SSO/identity management?

Short Answer: Every Intercom plan supports 2FA and Google Sign-In; full SAML SSO with an identity provider is available on Enterprise plans only.

Details: If your policy simply requires strong authentication, you can enable 2FA and prefer Google Sign-In on any plan. If your policy requires centralized SSO through an IdP like Okta or Azure AD—where access is managed entirely from that system and SSO is mandatory—you’ll need an Enterprise plan to use Intercom’s SAML SSO and SCIM capabilities.

How do we enforce that all agents use SSO instead of passwords?

Short Answer: Enable and test SAML SSO on an Enterprise plan, then turn on the option to require SAML SSO for all teammates in Settings > Security.

Details: After you set up SAML SSO with your IdP (including domain verification and certificate configuration), Intercom lets you flip from “available SSO” to “required SSO.” Once enabled, teammates must log in via your IdP. You’ll manage access by assigning or removing users from the Intercom app in your IdP, and you can pair this with SCIM to automate provisioning and deprovisioning as people join, move teams, or leave the company.

Summary

If you’re asking which Intercom plan you need for SSO and identity management, the decision splits cleanly:

  • Any plan gives you strong built-in controls—2FA, Google Sign-In, and continuous login protection.
  • Enterprise adds SAML SSO and SCIM so Intercom becomes just another well-governed app in your identity stack, controlled entirely from your IdP.

Configured well, you get a secure, compliant front door to the same AI-powered Helpdesk and Fin-driven support your agents use every day—so security teams can tighten controls while support teams stay fast.

Next Step

Get Started

Back to Customer Service Helpdesk

Keep Reading

More from Customer Service Helpdesk

How do we enable Intercom proactive messaging (Posts, Checklists, Product Tours, Series) and what does Proactive Support Plus ($99/mo) include?

Read more

How do we build an Intercom Help Center quickly and publish multilingual articles for 45+ languages?

Read more

How do we migrate from Zendesk to Intercom—data import, macros/automations, and keeping reporting intact?

Read more