I. Function overview
💡 Note: This feature is applicable to enterprise users and team users who already have a Google account or an Okta account. It enables users to use an internal account to log in to Lark, improving enterprise users’ account interconnectivity and Lark login efficiency. Only super administrators have the permission for the following actions.
This feature is under grey testing. Super administrators can to enable this feature. Once this feature is enabled, super administrators needs to complete the SSO login configuration for team users to use this feature.
The email address in Lark contacts and that of the Google or Okta account must be consistent for the Lark SSO login feature to be enabled successfully. Otherwise, please make them consistent before enabling this feature.
Only super administrators have permission for the following actions:
- 1.Customize an enterprise domain name
The administrator can log in to Lark Admin and click Enterprise Settings - Enterprise Info - Modify to change the domain name of the company and facilitate employees’ login and usage.
🍃 Google account
Go to Enterprise Settings - SSO Login and select Google account login. Then click Configure.
You need to have the Google accounts of company employees to perform this configuration. You can click Go to Contacts to edit or add to enter the employee information.
Scenario 1: If the employee has joined the company, make sure the email address of the employee shown in Organization - Members and Departments - View details is the same as the Google account used for login.
Otherwise, modify the email address following the steps below: click Edit and enter the email address in Email or phone number.
Scenario 2: If the employee hasn’t joined the company, click Members and Departments - Add member to enter the email address of the member as their Google account.
- 3.Enter the email address
Click Log in to Google account. On the login page that appears, enter the email address. You will be redirected to this page after the login is successful.
Once you confirm the information is correct, click Save configuration.
Read the content in the pop-up window and click Enable. The configuration will take effect immediately. If you need to enable the configuration after communicating with the employee, click Save.
Once you save the configuration, you can click Enable login with Google account, or click Modify to change the current configuration.
🍃 Okta account
The email address in Lark contacts and that of the Okta account must be consistent for the Lark SSO login feature to be enabled successfully. Otherwise, please make them consistent before enabling this feature.
The administrator must complete the Okta configuration before configuring SSO login in Admin.
1.1 Create an application
Log in to the Okta account, and click Admin in the upper-right corner.
Log in to Okta and choose Applications - Applications.
Click Add Application in the upper-left corner.
Click Create New App in the upper-right corner.
Select Web and SAML 2.0 in the pop-up window.
Name the application in the pop-up window . You can name it to Lark. Then click Next.
Enter the following link on the second page:
Scroll down and click Add Another to add and edit attributes. Make sure you add the user.email column.
Scroll down and click Next.
On the third page, make the selections as shown in the figure, and then click Finish.
1.2 Configure members
On the Applications page, go to the Assignments tab, and click Assign. Add the members you want to add to use this application.
1.3 Get configuration information
On the Sign On tab, click View Setup Instructions to view the configuration information.
The information of the following three parameters will be used in Lark Admin.
Select Okta account login, and then click Configure.
Enter the information of the three parameters you obtained in the Okta account. Click Save configuration.
Then, click Enable login with Okta account.
III. Login (applicable to all team members)
Download the latest version of Lark and click SSO login.
Enter the enterprise domain name you’ve configured above.
Enter the login account. When you use an Okta account for SSO login, the account and password are the email address and password in Okta. When you use a Google account for SSO login, the account and password are those of the Google email account that has been confirmed in the Admin.
Q: How can I disable SSO login?
A: Click Enterprise Settings - SSO Login - Google account login. Then click Disable Google account login. After you disable the feature, employees can only use their Lark account for login. Please make sure all employees have added their Google account as the login method in Lark Mobile app - Profile Photo - System Settings - Account and Security - Account Management. Otherwise, employees won’t be able to log in to Lark.