Which Intercom plan do we need for SSO/identity management, and how do we enable it for our agents?
Customer Service Helpdesk

Which Intercom plan do we need for SSO/identity management, and how do we enable it for our agents?

10 min read

Most teams hit the same question once security gets involved: what Intercom plan do we need for SSO and identity management, and how do we actually turn it on for all our agents without breaking access? The good news is that Intercom gives you multiple layers—2FA, Google Sign-In, and full SAML SSO on Enterprise—so you can match your security posture without a long implementation.

Quick Answer: You can enforce strong login security on any Intercom plan using workspace-level 2FA and Google Sign-In. If you want full SAML SSO with an identity provider like Okta, Azure AD, or OneLogin (plus SCIM and JIT provisioning), you’ll need an Enterprise plan, then configure SSO under Security settings and roll it out to all agents.

The Quick Overview

  • What It Is: Intercom’s identity and login security stack—2FA, Google Sign-In, and SAML SSO—that controls how your agents sign in, how access is governed, and how quickly you can onboard/ offboard teammates.
  • Who It Is For: Support, IT, and security leaders who need to keep their Intercom Helpdesk locked down, enforce company-wide authentication standards, and simplify agent access as the team scales.
  • Core Problem Solved: Legacy support tools often sit outside your identity perimeter, so logins are inconsistent and risky. Intercom’s SSO and identity management close that gap—so agents authenticate through your IdP and you retain centralized control.

How It Works

Intercom layers identity and SSO controls on top of your existing workspace, then delegates authentication to your chosen provider where needed. You decide how strict you want to be—start with 2FA, add Google Sign-In, or go all‑in with SAML SSO on Enterprise and manage everything from your IdP.

Here’s the high-level flow:

  1. Baseline Security (All Plans):
    Enable 2FA and optionally Google Sign-In so every agent has a stronger, phishing‑resilient login—no plan upgrade required.

  2. Enterprise SSO & Provisioning:
    On Enterprise, connect Intercom to your identity provider using SAML SSO. Optionally enable Just‑in‑Time (JIT) provisioning and SCIM so new agents are automatically created and assigned roles when they’re added to the right IdP group.

  3. Enforcement & Monitoring:
    Decide whether SAML SSO is required for everyone or offered alongside password/Google logins. Intercom continuously monitors login activity and applies automatic protections if it detects suspicious access, while your IdP keeps central control over who can get in at all.

Features & Benefits Breakdown

Core FeatureWhat It DoesPrimary Benefit
Two-Factor Authentication (2FA)Adds a second verification step (e.g. code) to agent logins. Available on all plans.Reduces account‑takeover risk with minimal setup—so you can harden access in minutes, not weeks.
Google Sign-InLets teammates log in to Intercom using their Google Workspace account.Aligns Intercom with existing Google-based SSO patterns—so agents use fewer passwords and IT has one less system to manage.
SAML SSO (Enterprise)Connects Intercom to an identity provider (Okta, Azure AD, OneLogin, Google Workspace SAML, etc.) and supports JIT + SCIM.Brings Intercom fully under your centralized identity policy—so onboarding, offboarding, and access reviews stay in your IdP instead of being managed manually.

Ideal Use Cases

  • Best for fast‑growing teams standardizing on stronger authentication:
    Because 2FA and Google Sign-In are available on all plans, you can immediately enforce better login hygiene and reduce credential risk without changing your pricing tier.

  • Best for security‑sensitive or enterprise environments:
    Because SAML SSO on Enterprise lets you integrate Okta, Azure AD, or OneLogin with Intercom—complete with JIT and SCIM—you can treat your Helpdesk like any other critical system and run access control centrally.

Limitations & Considerations

  • SAML SSO is Enterprise‑only:
    If you need IdP-controlled login (Okta, Azure AD, etc.) and SCIM, you’ll need to be on an Enterprise plan. On other plans, rely on 2FA and Google Sign-In for stronger security.

  • Configuration requires the right admin permissions:
    You’ll need:

    • Admin/security permissions in your IdP to create the Intercom SAML app and manage certificates.
    • The Intercom permission “Can manage general and security settings” to access Settings > Security and configure SSO.
      Plan that ahead so your security lead and workspace admin can work together without blockers.

Pricing & Plans

Identity features map to Intercom plans like this:

  • All Intercom plans:

    • Workspace‑level 2FA management.
    • Google Sign-In for teammates.
    • Login protection and suspicious‑activity monitoring from Intercom.

  • Enterprise plans only:

    • SAML SSO with your identity provider (Okta, Azure AD, OneLogin, Google Workspace, etc.).
    • Just‑in‑Time (JIT) provisioning so users can be created at first login based on IdP assertions.
    • SCIM for lifecycle management—automated user provisioning and deprovisioning, and role assignment via SCIM groups.

If you’re unsure whether you’re on Enterprise, check with your Intercom account owner or your Intercom sales contact—they can confirm plan level and help you scope an upgrade if SAML SSO is a requirement.

  • Growth/Standard/Non‑Enterprise: Best for teams needing secure logins via 2FA and Google Sign-In without full IdP integration.
  • Enterprise: Best for organizations that require SAML SSO, SCIM provisioning, and policy‑driven identity control from Okta, Azure AD, OneLogin, or similar.

How to Enable Identity Management & SSO in Intercom

From experience, the cleanest rollout is staged: lock down basics first, then layer SAML SSO once you’re on Enterprise and your IdP config is ready.

1. Enable and Enforce 2FA (All Plans)

2FA is the fastest “security per minute of effort” change you can make.

  1. In Intercom, go to Settings > Security.
  2. Turn on workspace-level 2FA enforcement if you want to require 2FA for all teammates.
  3. Share instructions for teammates to enable 2FA on their own accounts:
    • Open the profile menu in Intercom.
    • Go to Security or Two-Factor Authentication.
    • Follow the steps to pair an authenticator app and verify a code.

Note: Keep a short runbook for helping teammates who lose their 2FA device—Intercom has documented steps for resolving verification‑code issues and recovering access.

2. Turn On Google Sign-In (All Plans, Optional)

If your company lives in Google Workspace, make Google Sign-In your default to reduce password reuse.

  1. Go to Settings > Security in your Intercom workspace.
  2. Locate Google Sign-In and enable it.
  3. Communicate to your agents:
    • They can now log in via the “Sign in with Google” option using their work account.
    • If you’re enforcing a standard (e.g. “Use Google, not email + password”), include it in your internal policy.

3. Configure SAML SSO on Enterprise

Once you’re on an Enterprise plan and ready to integrate with your IdP:

Step 3.1 – Prepare Your Identity Provider

In your IdP (Okta, Azure AD, OneLogin, Google Workspace SAML, etc.):

  1. Create a new SAML application for Intercom.
  2. Follow Intercom’s SAML setup documentation for the exact:
    • Entity ID / Audience URI
    • ACS (Assertion Consumer Service) / Reply URL
    • NameID format (usually email)
  3. Assign the appropriate user group(s) that should access Intercom (e.g. Customer Support, CS Leadership).

You’ll need admin or security permissions in the IdP to do this.

Step 3.2 – Configure SAML SSO in Intercom

In Intercom:

  1. Make sure your user has the permission “Can manage general and security settings.”
  2. Go to Settings > Security.
  3. Find the SAML SSO section and start setup.
  4. Paste in the IdP details:
    • IdP SSO URL
    • IdP Entity ID
    • X.509 certificate (public cert from your IdP)
  5. Save your changes.

Important: Intercom periodically updates its Service Provider (SP) certificate for SAML SSO. Before the published cutoff date (e.g. December 12, 2026, for the current update), you must upload the new cert to your IdP to avoid login failures.

Step 3.3 – Test SSO Before Enforcing

Treat SSO like a production rollout:

  1. In your IdP, assign just a few test users to the Intercom SAML app.
  2. In an incognito/private window, try signing in to Intercom using SSO.
  3. Validate:
    • Users land in the correct Intercom workspace.
    • Their email matches existing accounts (or JIT creates them as expected).
    • Role mapping behaves as you intend (if you’re using SCIM groups).

Keep at least one non‑SSO admin account available until you’re fully confident in the configuration.

Step 3.4 – Decide on Enforcement Mode

You can either:

  • Require SAML SSO for all teammates:
    The most secure and simple option; users must log in via the IdP. This is recommended if you’re standardizing access across all tools.

  • Offer SSO as one of multiple options:
    Useful during transition; agents can still use conventional login while you migrate everyone to the IdP.

To set this:

  1. In Settings > Security > SAML SSO, choose whether to require SSO or allow other sign in options.
  2. Once you’re confident all agents are assigned in your IdP, switch to “require” for full enforcement.

Step 3.5 – Enable SCIM and JIT (Enterprise)

To automate user lifecycle:

  • JIT (Just‑in‑Time) provisioning:
    When a user logs in via SAML for the first time and meets your IdP criteria, Intercom can create their teammate account automatically.

  • SCIM:
    Lets your IdP:

    • Create and deactivate teammates in Intercom when they join/leave your org.
    • Assign roles via SCIM groups so permissions match your security model.

Follow Intercom’s SCIM provisioning guide to:

  1. Enable SCIM in Settings > Security (or Settings > Identity depending on your workspace UI).
  2. Generate and copy the SCIM token/endpoint for your IdP.
  3. Configure the Intercom SCIM app on your IdP side and test provisioning/deprovisioning with a small group.

Frequently Asked Questions

Do we need Enterprise to get any kind of SSO or strong authentication?

Short Answer: You only need Enterprise for full SAML SSO and SCIM; strong authentication (2FA and Google Sign-In) is available on every plan.

Details:
Every Intercom plan includes:

  • Workspace‑level 2FA enforcement for teammates.
  • Google Sign-In integration so users can authenticate with their Google Workspace account.
  • Continuous login monitoring and protection from Intercom.

If your security requirement is “we must log in via Okta/Azure AD/OneLogin only,” that’s where Enterprise with SAML SSO becomes mandatory. That’s also the tier where you get SCIM and JIT provisioning for centralized user lifecycle management.

How do we roll out SAML SSO to agents without locking anyone out?

Short Answer: Configure and test SSO with a small group first, keep a non‑SSO admin as a backdoor, then flip enforcement to “require SAML SSO” once you’ve validated the flow.

Details:
A safe rollout usually looks like this:

  1. Prepare IdP + Intercom configs but don’t enforce SSO yet.
  2. Assign a pilot group of support agents in your IdP and have them log in via SSO. Confirm they land in the right workspace and have the right permissions.
  3. Keep at least one workspace owner/admin with password + 2FA access in case SSO misconfiguration locks out the broader team.
  4. Communicate the cutover date and instructions to all agents (which login URL to use, what to expect on first login).
  5. Once everyone is assigned in your IdP and your tests are clean, go to Settings > Security > SAML SSO and switch to requiring SSO for all teammates.

If something fails (e.g. certificate mismatch or mis‑mapped attributes), use your backup admin account to revert settings, adjust the IdP configuration, and re‑test.

Summary

From a planning standpoint, the decision is straightforward:

  • If your requirement is “stronger logins now, centralized IdP later”, you can start on any Intercom plan using 2FA, Google Sign-In, and built‑in login protections.
  • If your requirement is “all support tools must be under our IdP with SAML SSO and SCIM”, you’ll want Intercom Enterprise, then configure SAML SSO from Settings > Security, test it with a pilot group, and finally require it for all teammates.

Either way, you end up with a Helpdesk and AI Agent that sit inside the same identity perimeter as the rest of your stack—so your agents get seamless access, and your security team gets the control and auditability they expect.

Next Step

Get Started

Back to Customer Service Helpdesk

Keep Reading

More from Customer Service Helpdesk

How do we enable Intercom proactive messaging (Posts, Checklists, Product Tours, Series) and what does Proactive Support Plus ($99/mo) include?

Read more

How do we build an Intercom Help Center quickly and publish multilingual articles for 45+ languages?

Read more

How do we migrate from Zendesk to Intercom—data import, macros/automations, and keeping reporting intact?

Read more