> For the complete documentation index, see [llms.txt](https://docs.licensespring.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.licensespring.com/common-scenarios/single-sign-on-sso/vendor-platform-sso.md). # Vendor Platform SSO The LicenseSpring Vendor Platform supports Single Sign-On (SSO) to allow internal users—such as administrators, developers, and support teams—to securely access the management dashboard using their organization's identity provider (IdP). By integrating SSO, vendors can enforce centralized authentication policies and streamline access control across their team. This section provides a step-by-step guide to configure SSO within the Vendor Platform. The process includes registering your SSO provider, configuring SAML or OIDC settings, and verifying the connection. Once enabled, users will be able to authenticate via your IdP using their organizational credentials. ### Setup Single Sign On To configure Single Sign-On (SSO) for your organization, you must first navigate to the appropriate section within the LicenseSpring Vendor Platform. This is where you can add and manage your identity provider (IdP) settings. Follow the steps below to access the SSO configuration view: {% stepper %} {% step %} ### Log in to the Vendor Platform * Go to [https://saas.licensespring.com](https://saas.licensespring.com/) and sign in with your admin credentials. {% endstep %} {% step %} ### Navigate to Organization Settings * From the sidebar menu, click on **Settings**. * This section contains configuration options that apply across your entire LicenseSpring account, including access control. {% endstep %} {% step %} ### Select the SSO Settings Tab * Within the Settings view, select the **SSO Settings** tab. * This view allows you to add a new SSO provider and view current authentication settings. {% endstep %} {% step %} ### Add a Provider * Click the **Add SSO Provider** button to begin the integration process. * You will be prompted to enter details based on your IdP’s protocol (SAML or OIDC). {% endstep %} {% endstepper %} {% hint style="warning" %} If you do not see the “SSO Settings” tab, ensure that you have the necessary admin privileges or contact your LicenseSpring account manager. {% endhint %} ![](/files/35cd596240a88bb465583a5e67b9eca937e23cd5) Depending on your selected Identity Provider, you will have to submit the following information: * `Name` and `.xml provider metadata file` for SAML providers. * `Name`, `Client ID` and `Client secret` for Google identity provider. * `Service ID`, `Key ID`, `Team ID` and `.p8 key file` for Apple identity provider. {% hint style="info" %} Check `Create new platform user if it does not exist already` if you want to allow all users from your identity provider to login to the LicenseSpring platform. In that case for every new logged in user, LicenseSpring will create a new vendor application user for your account. {% endhint %} Instructions on how to register your application to acquire required informations are described below. #### Extracting the Company Code You will need the Company code to successfully register your application in your identity provider dashboard. To find your company code, follow the next steps: * Inside LicenseSpring vendor platform navigate to **Settings → Preferences** * Pay attention to the **Company code** field. In this example the Company code is **DSE2** ![](/files/6fbd9b1bfdbac3cefa49c13074754a585efb727a) ### Integrating Social Identity Providers Before setting up a social IdP, it's necessary to register your application with the respective IdP to acquire a client ID and client secret. #### Google {% stepper %} {% step %} ### Register and configure the consent screen 1. Create a developer account with Google if you haven't already: 2. Access the OAuth consent screen page: 3. Opt for the `external` User Type and proceed to create it. 4. Provide `app information`, `app domain` (optional), and `developer contact details`. 5. Save and move forward. 6. Configure Scopes: include `.../auth/userinfo.email`, `.../auth/userinfo.profile`, `openid`. 7. Update settings and save. 8. Continue to Test users settings and save. {% endstep %} {% step %} ### Create OAuth credentials 1. Navigate to the Credentials page: 2. Choose `Create credentials` → `OAuth client ID`. 3. Select `Web application` type, name your OAuth 2.0 client. 4. Add URIs: * Authorized JavaScript origins: * Authorized redirect URIs: (replace {COMPANY\_CODE} with your company code) 5. Create and note down your `Client ID` and `Client Secret`. 6. Go back to the `Add SSO Provider` form in the LicenseSpring vendor platform and finish the setup. {% endstep %} {% endstepper %} #### Apple {% stepper %} {% step %} ### Create Developer Account & App ID 1. Go to the Apple Developer Console: 2. If you don't have an Apple Developer account, create one and enroll in the Apple Developer Program. 3. Navigate to "Certificates, Identifiers & Profiles" → Identifiers → "+" to create a new App ID. 4. Choose "App IDs", enter a description and a bundle ID (e.g., keycloak). 5. Under "Capabilities", enable "Sign in with Apple". Register the App ID. {% endstep %} {% step %} ### Create a Service ID 1. Under Identifiers click "+" → select "Service IDs". 2. Enter a description and an identifier (e.g., **keycloak-service**). Register it. 3. Edit the Service ID, enable "Sign in with Apple" and configure the redirect URI: 4. Add the primary App ID created earlier as the Primary App ID and save. {% endstep %} {% step %} ### Create a Key for Apple Sign-In 1. Navigate to "Keys" and click "+". 2. Enable "Sign in with Apple" and click "Configure". 3. Select the Primary App ID and save. Register the key and download the .p8 key file. (This can only be downloaded once—save it securely.) {% endstep %} {% step %} ### Gather IDs and finish 1. Note your **Team ID** from your Apple Developer account. 2. Note the **Key ID** from the key details. 3. Note the Service ID (from step above): **keycloak-service**. 4. Have your **.p8 key file** ready to upload on the platform. 5. Go back to the `Add SSO Provider` form in the LicenseSpring vendor platform and finish the setup. {% endstep %} {% endstepper %} ### Incorporating SAML Identity Providers To enable SAML IdP sign-in for your app users: * Follow your SAML identity provider's instructions to add a relying party or application for your SAML 2.0 IdP. * Configure the assertion consumer endpoint in your SAML identity provider to: * Existing legacy configs (DO NOT USE FOR NEW CONFIGS):\ https\://{*domain\_name*}.auth.{*region*}.amazoncognito.com/saml2/idpresponse * Some SAML IdPs might require the SP urn / Audience URI / SP Entity ID: * Use * Existing legacy configs (DO NOT USE FOR NEW CONFIGS): urn:amazon:cognito:sp:{\_user\_pool\_id} * Configure your SAML IdP to provide an email value (claim) in the SAML assertion. * Support SAML 2.0 federation with post-binding endpoints to ensure direct receipt of SAML responses via a user agent. * Go back to `Add SSO Provider` form in the LicenseSpring vendor platform and finish the setup. #### Microsoft Entra (formerly Azure Active Directory) {% stepper %} {% step %} ### Basic setup in Azure 1. Access and choose Azure Active Directory. 2. `Add` an `enterprise application`. 3. Create your own application, input `name`, and select `non-gallery` option. 4. Choose `single sign-on` → `SAML`. 5. Edit Basic SAML Configuration: * Set Identifier as * Reply URL: * Legacy (DO NOT USE FOR NEW CONFIGS) alternatives are noted in the previous SAML section. 6. Save and close the settings. 7. Download Federation Metadata XML. 8. Go back to `Add SSO Provider` form in the LicenseSpring vendor platform and finish the setup. {% endstep %} {% step %} ### Allow SP Initiated Login (instructions) 1. In the LicenseSpring SSO integration (enterprise application) → Properties → Set "Visible to users?" to No. 2. Create a new enterprise application, input `name`, and select `non-gallery` option. 3. Under Single sign-on select `Linked`. 4. Set the `Sign on URL` to: {% endstep %} {% endstepper %} {% hint style="danger" %} Error: A common Azure DB provider SSO error is shown in the screenshot below: {% endhint %} ![Azure DB Common Error.](/files/e88b78685effe3e44b2c07210b3341ee81d2d712) To resolve this error, follow these steps: 1. In the Azure Active Directory Admin Center (), select your app. 2. In the left pane select Users and Groups → Add User/Group. 3. On the Add Assignment pane, select None Selected under Users and Groups. 4. Search for and select the user that you want to assign to the application, then select Select. 5. On the Add Assignment pane, select Assign at the bottom. 6. Once completed, the user can normally sign in using SSO. ![Assign Users/Groups](/files/1e3aaeb919a777b7f448e44e3dd275a454b3115c) ![Select Add User/Group](/files/4d2f688ed5d5a5c9edb07aaed98af5285ff2db22) ![Final step to assign user to application](/files/587d11de7dc294fdf87d35c8dc6f277db99f187d) #### Auth0 (SAML) {% stepper %} {% step %} ### Create an Auth0 Application 1. Access the Auth0 dashboard. 2. Click Applications → Create Application. 3. Provide a name (e.g., My App). 4. Choose Single Page Web Applications as the application type. 5. Click Create. {% endstep %} {% step %} ### Create a Test User 1. Navigate to User Management → Users. 2. Click + Create Your First User (or + Create User). 3. Enter the user's email and password. 4. Click Save. {% endstep %} {% step %} ### Configure SAML Settings 1. Open the application → Addons → enable SAML2 Web App. 2. In Addon → SAML2 Web App → Settings: * Application Callback URL: * Replace {COMPANY\_CODE} with your company code. 3. Under Settings, input the mappings JSON: { "mappings": { "user\_id": "", "email": "", "given\_name": "", "family\_name": "" }, "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "nameIdentifierProbes": \[ "" ] } 4. Optionally use Debug and log in as the test user to verify. 5. Choose Enable, then Save. {% endstep %} {% step %} ### Get the IdP Metadata 1. In the Addon → SAML2 Web App → Usage tab find Identity Provider Metadata. 2. Download the .xml metadata file. 3. Go back to the `Add SSO Provider` form in the LicenseSpring vendor platform and finish the setup. {% endstep %} {% endstepper %} #### Okta (SAML) {% stepper %} {% step %} ### Create a SAML App 1. Open the Okta Developer Console. 2. Applications → Create App Integration. 3. Choose SAML 2.0 as the Sign-in method and proceed. {% endstep %} {% step %} ### Configure SAML Integration 1. Under General Settings, enter a name for your app. 2. For Single sign on URL enter: 3. For Audience URI (SP Entity ID) enter: 4. Optionally add ATTRIBUTE STATEMENTS: * Name: * Value: user.email 5. Finish the setup and choose Finish. {% endstep %} {% step %} ### Assign a User 1. On the Assignments tab → Assign → Assign to People. 2. Choose the user to assign (initially likely yourself as admin). 3. (Optional) Adjust User Name. 4. Save and Done. {% endstep %} {% step %} ### Get the IdP Metadata 1. On the Sign On tab, find the Identity Provider metadata hyperlink. 2. Right-click and copy the URL or save the provided IDP metadata as an XML file. 3. Go back to `Add SSO Provider` form in the LicenseSpring vendor platform and finish the setup. {% endstep %} {% step %} ### SP Initiated login (Okta-specific) 1. For Single sign on URL use: 2. Uncheck "Use this for Recipient URL and Destination URL". 3. For Recipient URL use: 4. For Destination URL use: 5. For Audience URI (SP Entity ID) use: {% endstep %} {% endstepper %} ### OpenID Connect (OIDC) Integration LicenseSpring Platform supports Single Sign-On (SSO) via OpenID Connect (OIDC). Customers may integrate any identity provider that supports the standard Authorization Code Flow, including: * Azure Active Directory (Entra ID) * Okta * Auth0 * Google Identity This feature allows organizations to authenticate their users using their own identity system, while LicenseSpring handles user provisioning and access control. #### OIDC Redirect URI Every OIDC provider must be configured to redirect authentication responses to the following URL: Replace {company\_code} with the company code assigned to your organization in LicenseSpring. This redirect URI must match exactly in your identity provider configuration. ### Google Identity (OIDC) #### Steps for Google {% stepper %} {% step %} 1. Go to 2. APIs & Services → Credentials 3. Create Credentials → OAuth client ID 4. Application type: Web Application {% endstep %} {% step %} Authorized JavaScript origins: * Authorized redirect URI: * {% endstep %} {% step %} 6\. Create, then copy: * Client ID * Client Secret 8. Ensure OAuth Consent Screen is configured and published. {% endstep %} {% endstepper %} #### Metadata URL ![Origins and redirect URIs](/files/05153d2a9d28b7b5612eff65923f5e84cb806691) ### Microsoft Azure AD (Entra ID) — OIDC #### Steps in Azure {% stepper %} {% step %} 1. Sign in to Azure Portal: 2. Go to Microsoft Entra ID → App registrations → New registration 3. Important: create **App registrations**, not Enterprise Applications. 4. Enter a name (e.g., LicenseSpring OIDC) 5. Supported account types: Accounts in this organizational directory only {% endstep %} {% step %} 6\. Add Redirect URI (Web): 7\. Click Register. {% endstep %} {% step %} 8\. Copy **Application (client) ID** and **Directory (tenant) ID**. 9\. Go to Certificates & secrets → New client secret. Copy the generated Client Secret Value. 10\. Go to Authentication, confirm redirect URI is present. 11\. (Optional) Assign users/groups to the application. {% endstep %} {% endstepper %} #### Metadata URL Azure will autofill: * Authorization URL * Token URL * JWKS * Issuer ### Okta (OIDC) #### Steps in Okta 1. Log in to Okta Admin. 2. Applications → Create App Integration. 3. Sign-in method: OIDC. 4. Application type: Web Application. 5. Add Sign-in redirect URI: 6. (Optional) Sign-out redirect URI. 7. Assign application to users/groups. 8. Copy: Okta domain, Client ID, Client Secret. #### Metadata URL https\://{okta\_domain}/oauth2/default/.well-known/openid-configuration Domain example: ### Auth0 (OIDC) #### Steps in Auth0 1. Log in: 2. Applications → Create Application → Regular Web Application 3. Settings → Add Allowed Callback URL: 4. (Optional) Add same value to Allowed Logout URLs. 5. Copy: Domain, Client ID, Client Secret. 6. Save changes. #### Metadata URL https\://{tenant}.auth0.com/.well-known/openid-configuration Example: ### Required OIDC Information All required metadata is in the well-known OpenID configuration which you can import, or you can fill it manually. ### Configuration Steps on platform Navigate to **Platform → Settings → Single Sign-On** {% stepper %} {% step %} * Click **Add SSO Provider** {% endstep %} {% step %} * Select **OpenID Connect (OIDC)** {% endstep %} {% step %} * Enter the required fields (Client ID, Client Secret, import well-known configuration or fill manually) {% endstep %} {% step %} * Enable (recommended): ✓ Create new platform user if it does not exist {% endstep %} {% step %} * Save the configuration {% endstep %} {% step %} * Use the SSO login on your next signin {% endstep %} {% endstepper %} ![](/files/56203c879d52be03d5348311208cbf05fc243164) ### Login Using Single Sign On Once you have successfully added your identity provider to the LicenseSpring vendor platform SSO settings, you can log in using SSO. {% stepper %} {% step %} * Return to the LicenseSpring login page and click **Change login method**, then select **SSO**. {% endstep %} {% step %} * A prompt will ask for the company code. Enter your Company code extracted earlier. {% endstep %} {% step %} * If the provider was added correctly and there were no errors during configuration, you should be logged in to your company account. {% endstep %} {% endstepper %} ![](/files/09aeb9fa3444c464f529c6e3eb52e87c99b650ab) ![SSO login](/files/c100c315c6e28421bd578b69eaf6510f34bfcaac) If you require assistance or have custom SSO requirements, please contact [LicenseSpring Support](https://licensespring.zendesk.com/agent/). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.licensespring.com/common-scenarios/single-sign-on-sso/vendor-platform-sso.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.