Common Scenarios
Single Sign On (SSO)

13min
Enabling Third-Party Sign-In Integration
Incorporating third-party identity providers (IdPs) for user sign-in is an option within your application. The current support includes social sign-ins via Google and SAML IdPs like Azure Active Directory.
Integrating Social Identity Providers
Before setting up a social IdP, it's necessary to register your application with the respective IdP to acquire a client ID and client secret.
Google
﻿Create a developer account with Google if you haven't already.
Access the OAuth consent screen page.
Opt for the external User Type and proceed to create it.
Provide app information, app domain (optional), and developer contact details.
Save and move forward.
Configure Scopes:
Include Scopes like .../auth/userinfo.email, .../auth/userinfo.profile, openid.
Update settings and save.
Continue to Test users settings and save.
Navigate to the Credentials page.
Create credentials > OAuth client ID.
Select web application type, name your OAuth 2.0 client.
Add URIs to authorized JavaScript origins and authorized redirect URIs.
Create and note down your Client ID and your Client Secret.
Incorporating SAML Identity Providers
To enable SAML IdP sign-in for your app users:
Follow your SAML identity provider's instructions to add a relying party or application for your SAML 2.0 IdP.
Configure the assertion consumer endpoint in your SAML identity provider to:
https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint
Existing configs with legacy prefixed (DO NOT USE FOR NEW CONFIGS): https://{_domain_name_}.auth.{_region_}.amazoncognito.com/saml2/idpresponse
Some SAML IdPs might require the SP urn / Audience URI / SP Entity ID:
Use https://auth.licensespring.com/auth/realms/platform
Existing configs with legacy prefixed (DO NOT USE FOR NEW CONFIGS): urn:amazon:cognito:sp:{_user_pool_id}
Configure your SAML IdP to provide an email value (claim) in the SAML assertion.
Support SAML 2.0 federation with post-binding endpoints. This ensures direct receipt of SAML responses via a user agent, eliminating the need for retrieval and parsing.
Provide a SAML Provider Name and the metadata document from your SAML IdP.
Azure Active Directory
Access Azure Portal and choose Azure Active Directory.
Add an enterprise application.
Create your own application, input name, and select non-gallery option.
Opt for single sign-on > SAML.
Edit Basic SAML Configuration:
Set Identifier as https://auth.licensespring.com/auth/realms/platform
Existing configs with legacy prefixed (DO NOT USE FOR NEW CONFIGS): urn:amazon:cognito:sp:{_user_pool_id_}
Configure Reply URL as https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint
Existing configs with legacy prefixed (DO NOT USE FOR NEW CONFIGS): https://{_domain_name_}.auth.{_region_}.amazoncognito.com/saml2/idpresponse
Save and close the settings.
Download Federation Metadata XML.
Provide us with your provider's name and the downloaded metadata.
Error: A common Azure DB provider SSO error is shown in the screenshot below:
User not assigned to a role for application.
﻿
To resolve this error, follow these steps:
In the Azure Active Directory Admin Center, select your app and then search for and select the application to which you want to assign the user account.
In the left pane select Users and Groups and then select Add User/Group.
Assign Users/Groups
﻿
Select Add User/Group
﻿
    3. On the Add Assignment pane, select None Selected under Users and Groups
    4. Search for and select the user that you want to assign to the application, select Select
    5. On the Add Assignment, select Assign at the bottom of the pane
    6. When all steps are completed, user can normally sign in to account using SSO
Final step to assign user to application
﻿
Auth0
Create an Auth0 Application
Access the Auth0 website dashboard.
Click on Applications, then select Create Application.
In the Create Application dialog box, provide a name for your application (e.g., My App).
Choose Single Page Web Applications as the application type.
Click the Create button.
Create a Test User
Navigate to the left navigation bar and select User Management.
Click on Users.
Choose + Create Your First User. Alternatively, if this is not your initial user, select + Create User.
Within the Create user dialog box, input the user's email and password.
Click the Save button.
Configure SAML Settings
Access the left navigation bar and click on Applications.
Select the name of the application you previously created.
Go to the Addons tab.
Activate the SAML2 Web App option.
Within the Addon: SAML2 Web App dialog box, navigate to the Settings tab.
For the Application Callback URL, input https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint﻿
Please substitute company code with the appropriate value from platform for your company_code, under platform settings.
Existing configs with legacy prefixed (DO NOT USE FOR NEW CONFIGS): https://_domain_name_.auth._region_.amazoncognito.com/saml2/idpresponse
Under Settings, input the following:
 No need to add anything, it can be left as is (" {} ").
Replace _user_pool_id_ with the value from your SSO settings.
Existing configs with legacy prefixed (DO NOT USE FOR NEW CONFIGS): 
{
   "audience": "urn:amazon:cognito:sp:_user_pool_id_",
   "mappings": {
     "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
   },
   "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
 }
(Optional) Choose Debug, then log in as the test user you created to confirm that the configuration works.
Choose Enable, and then choose Save.
Get the IdP Metadata
In the Addon: SAML2 Web App dialog box, on the Usage tab, find Identity Provider Metadata. Then do either of the following:
Choose download to download the .xml metadata file.
Okta
Create a SAML App
Open the Okta Developer Console.
In the navigation menu, expand Applications, and then choose Applications.
Choose Create App Integration.
In the Create a new app integration menu, choose SAML 2.0 as the Sign-in method.
Choose Next.
Configure SAML Integration
On the Create SAML Integration page, under General Settings, enter a name for your app.
Choose Next.
Under GENERAL, for Single sign on URL, enter https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint﻿
Existing configs with legacy prefixed (DO NOT USE FOR NEW CONFIGS): https://{domain_name}.auth.{region}.amazoncognito.com/saml2/idpresponse
For Audience URI (SP Entity ID), enter https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint﻿
Existing configs with legacy prefixed (DO NOT USE FOR NEW CONFIGS): urn:amazon:cognito:sp:{user_pool_id}
Under ATTRIBUTE STATEMENTS (OPTIONAL), add a statement with the following information:
For Name, enter the SAML attribute name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
For Value, enter user.email.
For all other settings on the page, leave them as their default values or set them according to your preferences.
Choose Next.
Choose a feedback response for Okta Support.
Choose Finish.
Assign a User
On the Assignments tab for your Okta app, for Assign, choose Assign to People.
Choose Assign next to the user that you want to assign. Note: If this is a new account, the only option available is to choose yourself (the admin) as the user.
(Optional) For User Name, enter a user name, or leave it as the user's email address, if you want.
Choose Save and Go Back. Your user is assigned.
Choose Done.
Get the IdP Metadata
On the Sign On tab for your Okta app, find the Identity Provider metadata hyperlink. 
Right-click the hyperlink, and then copy the URL. 
If not found then click View SAML setup instructions and save the value from Provide the following IDP metadata to your SP provider into an xml file.
Apple
Go to the Apple Developer Console: Visit Apple Developer Console.
Create an Apple Developer Account:
If you don't have an Apple Developer account, you will need to create one and enroll in the Apple Developer Program.
Create a New App ID:
Navigate to "Certificates, Identifiers & Profiles".
Under Identifiers, click the "+" button to create a new App ID.
Choose "App IDs" and click "Continue".
Enter a description and a bundle ID (e.g., keycloak)
Under "Capabilities", enable "Sign in with Apple".
Click "Continue" and then "Register".
Create a Service ID:
Still under "Identifiers", click the "+" button to create a new Service ID.
Select "Service IDs" and click "Continue".
Enter a description and an identifier (e.g., keycloak-service)
Click "Continue" and then "Register".
After creating the Service ID, click on it to edit it.
Enable "Sign in with Apple" and configure the redirect URI:
https://auth.lcensespring.com/realms/platfrom/broker/{COMPANY_CODE}/endpoint﻿
Add the primary App ID created earlier as the Primary App ID.
Click "Save".
Create a Key for Apple Sign-In:
Navigate to "Keys" and click the "+" button to create a new key.
Enable "Sign in with Apple" and click "Configure".
Select the Primary App ID and click "Save".
Click "Continue" and then "Register".
Download the key file it will have a .p8 extension) and save it securely. You will not be able to download it again.
Get Your Team ID and Key ID:
Note down your Team ID from your Apple Developer account.
Note down the Key ID from the key details.
Note down service identifier as mentioned before ins step 4. : keycloak-service
Have your key file ready to upload it on platform.

Setup Apple SSO with above credentials on Licensespring platform.
Updated 08 Oct 2024
Did this page help you?
Changelog
Implementing Single Sign-On (SSO)