search

Vendor Platform SSO

The LicenseSpring Vendor Platform supports Single Sign-On (SSO) to allow internal users—such as administrators, developers, and support teams—to securely access the management dashboard using their organization's identity provider (IdP). By integrating SSO, vendors can enforce centralized authentication policies and streamline access control across their team.

This section provides a step-by-step guide to configure SSO within the Vendor Platform. The process includes registering your SSO provider, configuring SAML or OIDC settings, and verifying the connection. Once enabled, users will be able to authenticate via your IdP using their organizational credentials.

hashtag
Setup Single Sign On

To configure Single Sign-On (SSO) for your organization, you must first navigate to the appropriate section within the LicenseSpring Vendor Platform. This is where you can add and manage your identity provider (IdP) settings.

Follow the steps below to access the SSO configuration view:

1

hashtag
Log in to the Vendor Platform

2

hashtag
Navigate to Organization Settings

  • From the sidebar menu, click on Settings.

  • This section contains configuration options that apply across your entire LicenseSpring account, including access control.

3

hashtag
Select the SSO Settings Tab

  • Within the Settings view, select the SSO Settings tab.

  • This view allows you to add a new SSO provider and view current authentication settings.

4

hashtag
Add a Provider

  • Click the Add SSO Provider button to begin the integration process.

  • You will be prompted to enter details based on your IdP’s protocol (SAML or OIDC).

circle-exclamation

If you do not see the “SSO Settings” tab, ensure that you have the necessary admin privileges or contact your LicenseSpring account manager.

Depending on your selected Identity Provider, you will have to submit the following information:

  • Name and .xml provider metadata file for SAML providers.

  • Name, Client ID and Client secret for Google identity provider.

  • Service ID, Key ID, Team ID and .p8 key file for Apple identity provider.

circle-info

Check Create new platform user if it does not exist already if you want to allow all users from your identity provider to login to the LicenseSpring platform. In that case for every new logged in user, LicenseSpring will create a new vendor application user for your account.

Instructions on how to register your application to acquire required informations are described below.

hashtag
Extracting the Company Code

You will need the Company code to successfully register your application in your identity provider dashboard. To find your company code, follow the next steps:

  • Inside LicenseSpring vendor platform navigate to Settings → Preferences

  • Pay attention to the Company code field. In this example the Company code is DSE2

hashtag
Integrating Social Identity Providers

Before setting up a social IdP, it's necessary to register your application with the respective IdP to acquire a client ID and client secret.

hashtag
Google

1

hashtag
Register and configure the consent screen

  1. Create a developer account with Google if you haven't already: https://developers.google.com/identity

  2. Access the OAuth consent screen page: https://console.cloud.google.com/apis/credentials/consent

  3. Opt for the external User Type and proceed to create it.

  4. Provide app information, app domain (optional), and developer contact details.

  5. Save and move forward.

  6. Configure Scopes: include .../auth/userinfo.email, .../auth/userinfo.profile, openid.

  7. Update settings and save.

  8. Continue to Test users settings and save.

2

hashtag
Create OAuth credentials

  1. Navigate to the Credentials page: https://console.cloud.google.com/apis/credentials

  2. Choose Create credentialsOAuth client ID.

  3. Select Web application type, name your OAuth 2.0 client.

  4. Add URIs:

    • Authorized JavaScript origins: https://auth.licensespring.com

    • Authorized redirect URIs: https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint (replace {COMPANY_CODE} with your company code)

  5. Create and note down your Client ID and Client Secret.

  6. Go back to the Add SSO Provider form in the LicenseSpring vendor platform and finish the setup.

hashtag
Apple

1

hashtag
Create Developer Account & App ID

  1. Go to the Apple Developer Console: https://developer.apple.com/account/

  2. If you don't have an Apple Developer account, create one and enroll in the Apple Developer Program.

  3. Navigate to "Certificates, Identifiers & Profiles" → Identifiers → "+" to create a new App ID.

  4. Choose "App IDs", enter a description and a bundle ID (e.g., keycloak).

  5. Under "Capabilities", enable "Sign in with Apple". Register the App ID.

2

hashtag
Create a Service ID

  1. Under Identifiers click "+" → select "Service IDs".

  2. Enter a description and an identifier (e.g., keycloak-service). Register it.

  3. Edit the Service ID, enable "Sign in with Apple" and configure the redirect URI: https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint

  4. Add the primary App ID created earlier as the Primary App ID and save.

3

hashtag
Create a Key for Apple Sign-In

  1. Navigate to "Keys" and click "+".

  2. Enable "Sign in with Apple" and click "Configure".

  3. Select the Primary App ID and save. Register the key and download the .p8 key file. (This can only be downloaded once—save it securely.)

4

hashtag
Gather IDs and finish

  1. Note your Team ID from your Apple Developer account.

  2. Note the Key ID from the key details.

  3. Note the Service ID (from step above): keycloak-service.

  4. Have your .p8 key file ready to upload on the platform.

  5. Go back to the Add SSO Provider form in the LicenseSpring vendor platform and finish the setup.

hashtag
Incorporating SAML Identity Providers

To enable SAML IdP sign-in for your app users:

  • Follow your SAML identity provider's instructions to add a relying party or application for your SAML 2.0 IdP.

  • Configure the assertion consumer endpoint in your SAML identity provider to: https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint

  • Existing legacy configs (DO NOT USE FOR NEW CONFIGS): https://{domain_name}.auth.{region}.amazoncognito.com/saml2/idpresponse

  • Some SAML IdPs might require the SP urn / Audience URI / SP Entity ID:

    • Use https://auth.licensespring.com/realms/platform

    • Existing legacy configs (DO NOT USE FOR NEW CONFIGS): urn:amazon:cognito:sp:{_user_pool_id}

  • Configure your SAML IdP to provide an email value (claim) in the SAML assertion.

  • Support SAML 2.0 federation with post-binding endpoints to ensure direct receipt of SAML responses via a user agent.

  • Go back to Add SSO Provider form in the LicenseSpring vendor platform and finish the setup.

hashtag
Microsoft Entra (formerly Azure Active Directory)

1

hashtag
Basic setup in Azure

  1. Access https://portal.azure.com/ and choose Azure Active Directory.

  2. Add an enterprise application.

  3. Create your own application, input name, and select non-gallery option.

  4. Choose single sign-onSAML.

  5. Edit Basic SAML Configuration:

    • Set Identifier as https://auth.licensespring.com/realms/platform

    • Reply URL: https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint

    • Legacy (DO NOT USE FOR NEW CONFIGS) alternatives are noted in the previous SAML section.

  6. Save and close the settings.

  7. Download Federation Metadata XML.

  8. Go back to Add SSO Provider form in the LicenseSpring vendor platform and finish the setup.

2

hashtag
Allow SP Initiated Login (instructions)

  1. In the LicenseSpring SSO integration (enterprise application) → Properties → Set "Visible to users?" to No.

  2. Create a new enterprise application, input name, and select non-gallery option.

  3. Under Single sign-on select Linked.

  4. Set the Sign on URL to: https://auth.licensespring.com/realms/platform/protocol/openid-connect/auth?client_id=platform&redirect_uri=https%3A%2F%2Fsaas.licensespring.com&response_type=code&scope=openid&kc_idp_hint={COMPANY_CODE}

triangle-exclamation

Error: A common Azure DB provider SSO error is shown in the screenshot below:

Azure DB Common Error.

To resolve this error, follow these steps:

  1. In the Azure Active Directory Admin Center (https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/AllApps), select your app.

  2. In the left pane select Users and Groups → Add User/Group.

  3. On the Add Assignment pane, select None Selected under Users and Groups.

  4. Search for and select the user that you want to assign to the application, then select Select.

  5. On the Add Assignment pane, select Assign at the bottom.

  6. Once completed, the user can normally sign in using SSO.

Assign Users/Groups
Select Add User/Group
Final step to assign user to application

hashtag
Auth0 (SAML)

1

hashtag
Create an Auth0 Application

  1. Access the Auth0 dashboard.

  2. Click Applications → Create Application.

  3. Provide a name (e.g., My App).

  4. Choose Single Page Web Applications as the application type.

  5. Click Create.

2

hashtag
Create a Test User

  1. Navigate to User Management → Users.

  2. Click + Create Your First User (or + Create User).

  3. Enter the user's email and password.

  4. Click Save.

3

hashtag
Configure SAML Settings

  1. Open the application → Addons → enable SAML2 Web App.

  2. In Addon → SAML2 Web App → Settings:

    • Application Callback URL: https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint

    • Replace {COMPANY_CODE} with your company code.

  3. Under Settings, input the mappings JSON: { "mappings": { "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" }, "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "nameIdentifierProbes": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ] }

  4. Optionally use Debug and log in as the test user to verify.

  5. Choose Enable, then Save.

4

hashtag
Get the IdP Metadata

  1. In the Addon → SAML2 Web App → Usage tab find Identity Provider Metadata.

  2. Download the .xml metadata file.

  3. Go back to the Add SSO Provider form in the LicenseSpring vendor platform and finish the setup.

hashtag
Okta (SAML)

1

hashtag
Create a SAML App

  1. Open the Okta Developer Console.

  2. Applications → Create App Integration.

  3. Choose SAML 2.0 as the Sign-in method and proceed.

2

hashtag
Configure SAML Integration

  1. Under General Settings, enter a name for your app.

  2. For Single sign on URL enter: https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint

  3. For Audience URI (SP Entity ID) enter: https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint

  4. Optionally add ATTRIBUTE STATEMENTS:

    • Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    • Value: user.email

  5. Finish the setup and choose Finish.

3

hashtag
Assign a User

  1. On the Assignments tab → Assign → Assign to People.

  2. Choose the user to assign (initially likely yourself as admin).

  3. (Optional) Adjust User Name.

  4. Save and Done.

4

hashtag
Get the IdP Metadata

  1. On the Sign On tab, find the Identity Provider metadata hyperlink.

  2. Right-click and copy the URL or save the provided IDP metadata as an XML file.

  3. Go back to Add SSO Provider form in the LicenseSpring vendor platform and finish the setup.

5

hashtag
SP Initiated login (Okta-specific)

  1. For Single sign on URL use: https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint/clients/platform-saml

  2. Uncheck "Use this for Recipient URL and Destination URL".

  3. For Recipient URL use: https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint

  4. For Destination URL use: https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint/clients/platform-saml

  5. For Audience URI (SP Entity ID) use: https://auth.licensespring.com/realms/platform/broker/{COMPANY_CODE}/endpoint/clients/platform-saml

hashtag
OpenID Connect (OIDC) Integration

LicenseSpring Platform supports Single Sign-On (SSO) via OpenID Connect (OIDC). Customers may integrate any identity provider that supports the standard Authorization Code Flow, including:

  • Azure Active Directory (Entra ID)

  • Okta

  • Auth0

  • Google Identity

This feature allows organizations to authenticate their users using their own identity system, while LicenseSpring handles user provisioning and access control.

hashtag
OIDC Redirect URI

Every OIDC provider must be configured to redirect authentication responses to the following URL:

https://auth.licensespring.com/realms/platform/broker/{company_code}/endpoint

Replace {company_code} with the company code assigned to your organization in LicenseSpring. This redirect URI must match exactly in your identity provider configuration.

hashtag
Google Identity (OIDC)

hashtag
Steps for Google

1

  1. Go to https://console.cloud.google.com

  2. APIs & Services → Credentials

  3. Create Credentials → OAuth client ID

  4. Application type: Web Application

2

Authorized JavaScript origins:

  • https://auth.licensespring.com

Authorized redirect URI:

  • https://auth.licensespring.com/realms/platform/broker/{company_code}/endpoint

3

  1. Create, then copy:

  • Client ID

  • Client Secret

  1. Ensure OAuth Consent Screen is configured and published.

hashtag
Metadata URL

https://accounts.google.com/.well-known/openid-configuration

Origins and redirect URIs

hashtag
Microsoft Azure AD (Entra ID) — OIDC

hashtag
Steps in Azure

1

  1. Sign in to Azure Portal: https://portal.azure.com

  2. Go to Microsoft Entra ID → App registrations → New registration

  3. Important: create App registrations, not Enterprise Applications.

  4. Enter a name (e.g., LicenseSpring OIDC)

  5. Supported account types: Accounts in this organizational directory only

2

  1. Add Redirect URI (Web): https://auth.licensespring.com/realms/platform/broker/{company_code}/endpoint

  2. Click Register.

3

  1. Copy Application (client) ID and Directory (tenant) ID.

  2. Go to Certificates & secrets → New client secret. Copy the generated Client Secret Value.

  3. Go to Authentication, confirm redirect URI is present.

  4. (Optional) Assign users/groups to the application.

hashtag
Metadata URL

https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration

Azure will autofill:

  • Authorization URL

  • Token URL

  • JWKS

  • Issuer

hashtag
Okta (OIDC)

hashtag
Steps in Okta

  1. Log in to Okta Admin.

  2. Applications → Create App Integration.

  3. Sign-in method: OIDC.

  4. Application type: Web Application.

  5. Add Sign-in redirect URI: https://auth.licensespring.com/realms/platform/broker/{company_code}/endpoint

  6. (Optional) Sign-out redirect URI.

  7. Assign application to users/groups.

  8. Copy: Okta domain, Client ID, Client Secret.

hashtag
Metadata URL

https://{okta_domain}/oauth2/default/.well-known/openid-configuration

Domain example: https://dev-12345678.okta.com

hashtag
Auth0 (OIDC)

hashtag
Steps in Auth0

  1. Log in: https://manage.auth0.com

  2. Applications → Create Application → Regular Web Application

  3. Settings → Add Allowed Callback URL: https://auth.licensespring.com/realms/platform/broker/{company_code}/endpoint

  4. (Optional) Add same value to Allowed Logout URLs.

  5. Copy: Domain, Client ID, Client Secret.

  6. Save changes.

hashtag
Metadata URL

https://{tenant}.auth0.com/.well-known/openid-configuration

Example: https://dev-123abc45.auth0.com

hashtag
Required OIDC Information

All required metadata is in the well-known OpenID configuration which you can import, or you can fill it manually.

hashtag
Configuration Steps on platform

Navigate to Platform → Settings → Single Sign-On

1

  • Click Add SSO Provider

2

  • Select OpenID Connect (OIDC)

3

  • Enter the required fields (Client ID, Client Secret, import well-known configuration or fill manually)

4

  • Enable (recommended): ✓ Create new platform user if it does not exist

5

  • Save the configuration

6

  • Use the SSO login on your next signin

hashtag
Login Using Single Sign On

Once you have successfully added your identity provider to the LicenseSpring vendor platform SSO settings, you can log in using SSO.

1

  • Return to the LicenseSpring login page and click Change login method, then select SSO.

2

  • A prompt will ask for the company code. Enter your Company code extracted earlier.

3

  • If the provider was added correctly and there were no errors during configuration, you should be logged in to your company account.

SSO login

If you require assistance or have custom SSO requirements, please contact LicenseSpring Supportarrow-up-right.

PreviousSingle Sign On (SSO)NextUser portal SSO

Last updated

Was this helpful?