I. Intro

Note: This feature is applicable to enterprise users and team users who already have a Google account or an Okta account. It enables users to use an internal account to log in to Lark, improving enterprise users’ account interconnectivity and Lark login efficiency. Only super administrators have the permission for the following actions.

This feature is under beta testing. Super administrators can Contact customer service to enable this feature. Once this feature is enabled, super administrators needs to complete the SSO login configuration for team users to use this feature.

The email address in Lark contacts and that of the Google or Okta account must be consistent for the Lark SSO login feature to be enabled successfully. Otherwise, please make them consistent before enabling this feature.

II. Steps

Only super administrators have permission for the following actions:

1.Customize an enterprise domain name

The administrator can log in to Lark Admin and click Enterprise Settings > Enterprise Info > Modify to change the domain name of the company and facilitate employees’ login and usage.

2.Configure SSO login

🍃 Google account

Go to Enterprise Settings > SSO Login and select Google account login. Then click Configure.

1.Confirm employee info

You need to have the Google accounts of company employees to perform this configuration. You can click Go to Contacts to edit or add to enter the employee information.

Scenario 1: If the employee has joined the company, make sure the email address of the employee shown in Organization > Members and Departments > View details is the same as the Google account used for login.

Otherwise, modify the email address following the steps below: click Edit and enter the email address in Email or phone number.

Scenario 2: If the employee hasn’t joined the company, click Members and Departments - Add member to enter the email address of the member as their Google account.

2.Enter the email address

Click Log in to Google account. On the login page that appears, enter the email address. You will be redirected to this page after the login is successful.

Once you confirm the information is correct, click Save configuration.

Read the content in the pop-up window and click Enable. The configuration will take effect immediately. If you need to enable the configuration after communicating with the employee, click Save.

Once you save the configuration, you can click Enable login with Google account, or click Modify to change the current configuration.

🍃 Okta account

The email address in Lark contacts and that of the Okta account must be consistent for the Lark SSO login feature to be enabled successfully. Otherwise, please make them consistent before enabling this feature.

The administrator must complete the Okta configuration before configuring SSO login in Admin.

1.Configure Okta

1.1 Create an application

Log in to the Okta account, and click Admin in the upper-right corner.

Log in to Okta and choose Applications > Applications.

Click Add Application in the upper-left corner.

Click Create New App in the upper-right corner.

Select Web and SAML 2.0 in the pop-up window.

Name the application in the pop-up window . You can name it to Lark. Then click Next.

Enter the following link on the second page:

Lark:

A link: https://www.larksuite.com/suite/passport/authentication/idp/saml/call_back

B link: https://www.larksuite.com

Scroll down and click Add Another to add and edit attributes. Make sure you add the user.email column.

Scroll down and click Next.

On the third page, make the selections as shown in the figure, and then click Finish.

1.2 Configure members

On the Applications page, go to the Assignments tab, and click Assign. Add the members you want to add to use this application.

1.3 Get configuration information

On the Sign On tab, click View Setup Instructions to view the configuration information.

The information of the following three parameters will be used in Lark Admin.

2.Configure Lark Admin

Select Okta account login, and then click Configure.

Enter the information of the three parameters you obtained in the Okta account. Click Save configuration.

Then, click Enable login with Okta account.

III. Login (applicable to all team members)

Download the latest version of Lark and click SSO login.

Enter the enterprise domain name you’ve configured above.

Enter the login account. When you use an Okta account for SSO login, the account and password are the email address and password in Okta. When you use a Google account for SSO login, the account and password are those of the Google email account that has been confirmed in the Admin.

IV. FAQs

Q: How can I disable SSO login?

A: Click Enterprise Settings > SSO Login > Google account login. Then click Disable Google account login. After you disable the feature, employees can only use their Lark account for login. Please make sure all employees have added their Google account as the login method in Lark Mobile app - Profile Photo - System Settings - Account and Security > Account Management. Otherwise, employees won’t be able to log in to Lark.

Q: Why can't I invite members after enabling SSO login?

A: Once SSO login is enabled, members can only be added from the admin console. For members to log in successfully, the connected email address must be the same as the Idp email address or be imported using API.

As Invite Code, Invite QR Code, and Invite Link are not necessarily related to the connected email, you cannot use them to invite others.