SSO Configuration

In this section, you will find how to configure your Account Single Sign-on (SSO).

You can configure the integration with your organization's identity provider (IDP). It is required for any user logging in via your organization's

SSO

Single sign-on (SSO) is an authentication mechanism that enables users to access multiple applications with one set of login details.

from the StackSpot Platform. You can configure multiple SSO methods, however, you can only keep one active.

Requirement

• You must have Account Holder or Admin permission to proceed.

Follow these steps:

Setup an SSO (Single sign-On)

Go to the StackSpot Account's Portal to complete the following steps.

Step 1. Log in to the StackSpot Platform;

Step 2. Click on your profile avatar and select the 'Organization' option from the displayed menu;

Step 3. In the Account's Portal main menu, click on 'Identity & Security' and select 'Single Sign-On (SSO)', as shown in the image below;

Step 4. Click 'Set Up SSO';

Step 5. Choose how to configure. There are two authentication methods in StackSpot:

• SAML V2.0
• OpenID Connect V1.0

Select the one you want, click 'Next', and follow the steps for each method:

Setup SSO via SAML V2.0

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties. To learn more about this integration method, refer to Oracle's documentation.

Step 1. You can configure multiple SSO methods. Name the one you are currently setting up on the 'SSO name' field ;

Step 2. Upload an XML file with your IDP (SAML entity descriptor) metadata to configure the integration. Click on the 'Select File' button to upload it, and then click 'Send File';

info

The XML file in Step 2 helps the platform to fill some configuration fields automatically.

Step 3. After the upload, review the information on fields below the button 'Select File':

• Redirect URL (optional);
• Single Sign-On Service URL: SAML endpoint that initiates the authentication process.
• Entity ID;
• String configuration certificate;
• Single Logout Service URL (optional): SAML logout endpoint.

Check the information and click 'Save'.

caution

You cannot edit the information in an SSO (Single Sign-On) file after you've configured it. You need to disable or remove the SSO and then set it up again from the beginning with the changes you want.

Now, to complete the configuration of Single Sign-On via SAML 2.0 and activate it, you need to:

• Configure SAML Assertion Attributes.

Setup SAML Assertion Attributes

After configuring the SSO method via SAML (Security Assertion Markup Language), you must set up its Attributes. They indicate where StackSpot can get users' information when they log in.

Follow the steps to configure:

Step 1. Click on your profile avatar and select the 'Organization' option from the displayed menu;

Step 2. In the Account's Portal main menu, click on 'Identity & Security' and select 'Single Sign-On (SSO)' and select the one you want to configure the Attributes;

Step 3. Click the 'Attributes' tab under 'Identity Provider Information';

Step 4. Click the 'Edit' button and fill in the fields with the following data:

• E-mail;
• First Name;
• Last name.

Click 'Save'.

Now you can configure Group Mappings.

Setup SSO via OpenID connect V1.0

OpenID Connect (OIDC) is a protocol for identity authentication. Learn more about this method on the Microsoft Documentation. Follow the steps to set up:

Step 1. To perform the integration, upload a JSON file with the metadata from your OpenID Connect identity provider. Click the 'Select File' button to upload it, then click ' Send file'. This way, the information will be uploaded automatically;

Then, click 'Next'.

Step 2. Now, you must review the information in the form and fill in three fields: SSO name, Client ID, and Client Secret.

Check all the fields below:

• SSO Name: You can configure multiple SSO methods, so name the one you are currently setting up.
• Redirect URL;
• Authorization URL: The authorization URL's endpoint required by the OIDC protocol.
• Token URL: The token URL's Endpoint required by the OIDC protocol.
• User info URL;
• JWKS URL;
• Revoke Token URL;
• End Session URL (optional);
• Client ID: Your Client ID is registered with the Identity Provider.
• Client Secret: Your Client Secret registered with the Identity Provider.

Step 3. Check the information and click 'Next'.

Step 4. This step is optional and can be done at a later time.

Click 'Create Group Mapping' to simplify access management by associating permission groups from external Identity Providers with your system's internal groups within StackSpot.

You can also click Next and configure it later. The configuration instructions are in the Group Mapping section.

caution

You cannot edit the information in an SSO (Single Sign-On) file after you've configured it. You need to disable or remove the SSO and then set it up again from the beginning with the changes you want.

How to activate or deactivate an SSO (Single Sign-on) method

You can configure multiple SSO methods; however, only one can be active simultaneously. To activate one SSO, you must deactivate another.

Requirements:

• If it is SSO via SAML, you must have configured its Attributes.

Follow the steps below:

Step 1. Click on your profile avatar and select the 'Organization' option from the displayed menu;

Step 2. In the Account's Portal main menu, click on 'Identity & Security' and select 'Single Sign-On (SSO)', as shown in the image below;

Step 3. Select the SSO you want to activate or deactivate;

Step 4. In the left side menu, click the 'Settings' tab;

Step 5. Now, you have two options:

• Turn on the switch button next to the 'SSO Status' to activate the SSO;
• Turn off the switch button next to the 'SSO Status' to deactivate the SSO.

Next Steps:

• Group Mapping Configuration.