Vendor Platform SSO

the licensespring vendor platform supports single sign on (sso) to allow internal users— such as administrators, developers, and support teams — to securely access the management dashboard using their organization's identity provider (idp) by integrating sso, vendors can enforce centralized authentication policies and streamline access control across their team this section provides a step by step guide to configure sso within the vendor platform the process includes registering your sso provider, configuring saml or oidc settings, and verifying the connection once enabled, users will be able to authenticate via your idp using their organizational credentials setup single sign on to configure single sign on (sso) for your organization, you must first navigate to the appropriate section within the licensespring vendor platform this is where you can add and manage your identity provider (idp) settings follow the steps below to access the sso configuration view log in to the vendor platform go to https //saas licensespring com and sign in with your admin credentials navigate to organization settings from the sidebar menu, click on “settings” this section contains configuration options that apply across your entire licensespring account, including access control select the “sso settings” tab within the settings view, select the “sso settings” tab this view allows you to add a new sso provider , and view current authentication settings click “add provider” to begin the integration process, click on the “add sso provider” button you will be prompted to enter details based on your idp’s protocol (saml or oidc) if you do not see the “sso settings” tab, ensure that you have the necessary admin privileges or contact your licensespring account manager depending on your selected identity provider, you will have to submit following informations name and xml provider metadata file for saml providers name , client id and client secret for google identity provider service id , key id , team id and p8 key file for apple identity provider check create new platform user if it does not exist already if you want to allow all users from your identity provider to login to the licensespring platform in that case for every new logged in user, licensespring will create a new vendor application user for your account instructions on how to register your application to acquire required informations are described below extracting the company code you will need company code to succesfully register your application in your identity provider dashboard to find your company code, follow the next steps inside licensespring vendor platform navigate to settings > preferences pay attention to the company code field in this case company code is dse2 integrating social identity providers before setting up a social idp, it's necessary to register your application with the respective idp to acquire a client id and client secret google https //developers google com/identity if you haven't already access the https //console cloud google com/apis/credentials/consent opt for the external user type and proceed to create it provide app information , app domain (optional), and developer contact details save and move forward configure scopes include scopes like /auth/userinfo email , /auth/userinfo profile , openid update settings and save continue to test users settings and save navigate to the https //console cloud google com/apis/credentials create credentials > oauth client id select web application type, name your oauth 2 0 client add uris to authorized javascript origins and authorized redirect uris authorized javascript origins http //auth licensespring com authorized redirect uris https //auth licensespring com/realms/platform/broker/{company code}}/endpoint create and note down your client id and your client secret go back to add sso provider form in the licensespring vendor platform and finish the setup apple go to the apple developer console visit https //developer apple com/account/ create an apple developer account if you don't have an apple developer account, you will need to create one and enroll in the apple developer program create a new app id navigate to "certificates, identifiers & profiles" under identifiers, click the "+" button to create a new app id choose "app ids" and click "continue" enter a description and a bundle id (e g , keycloak) under "capabilities", enable "sign in with apple" click "continue" and then "register" create a service id still under "identifiers", click the "+" button to create a new service id select "service ids" and click "continue" enter a description and an identifier (e g , keycloak service ) click "continue" and then "register" after creating the service id, click on it to edit it enable "sign in with apple" and configure the redirect uri https //auth licensespring com/realms/platform/broker/{company code}/endpoint add the primary app id created earlier as the primary app id click "save" create a key for apple sign in navigate to "keys" and click the "+" button to create a new key enable "sign in with apple" and click "configure" select the primary app id and click "save" click "continue" and then "register" download the key file it will have a p8 extension) and save it securely you will not be able to download it again get your team id and key id note down your team id from your apple developer account note down the key id from the key details note down service identifier as mentioned before ins step 4 keycloak service have your key file ready to upload it on platform go back to add sso provider form in the licensespring vendor platform and finish the setup incorporating saml identity providers to enable saml idp sign in for your app users follow your saml identity provider's instructions to add a relying party or application for your saml 2 0 idp configure the assertion consumer endpoint in your saml identity provider to https //auth licensespring com/realms/platform/broker/{company code}/endpoint existing configs with legacy prefixed (do not use for new configs) https //{ domain name } auth { region } amazoncognito com/saml2/idpresponse some saml idps might require the sp urn / audience uri / sp entity id use https //auth licensespring com/realms/platform existing configs with legacy prefixed (do not use for new configs) urn\ amazon\ cognito\ sp { user pool id} configure your saml idp to provide an email value (claim) in the saml assertion support saml 2 0 federation with post binding endpoints this ensures direct receipt of saml responses via a user agent, eliminating the need for retrieval and parsing go back to add sso provider form in the licensespring vendor platform and finish the setup microsoft entra (formerly azure active directory) setup steps access https //portal azure com/ and choose azure active directory add an enterprise application create your own application, input name , and select non gallery option opt for single sign on > saml edit basic saml configuration set identifier as https //auth licensespring com/realms/platform existing configs with legacy prefixed (do not use for new configs) urn\ amazon\ cognito\ sp { user pool id } configure reply url as https //auth licensespring com/realms/platform/broker/{company code}/endpoint existing configs with legacy prefixed (do not use for new configs) https //{ domain name } auth { region } amazoncognito com/saml2/idpresponse save and close the settings download federation metadata xml go back to add sso provider form in the licensespring vendor platform and finish the setup instrucitons to allow sp initiated login on the licensespring sso integration (enterprise application) > properties > set "visible to users?" to no create a new enterprise application, input name , and select non gallery option under single sign on select linked set the sign on url to https //auth licensespring com/realms/platform/protocol/openid connect/auth?client id=platform\&redirect uri=https%3a%2f%2fsaas licensespring com\&response type=code\&scope=openid\&kc idp hint={comapny code} error a common azure db provider sso error is shown in the screenshot below azure db common error to resolve this error, follow these steps in the https //aad portal azure com/#blade/microsoft aad iam/startboardapplicationsmenublade/allapps/menuid/allapps , select your app and then search for and select the application to which you want to assign the user account in the left pane select users and groups and then select add user/group assign users/groups select add user/group 3\ on the add assignment pane, select none selected under users and groups 4\ search for and select the user that you want to assign to the application, select select 5\ on the add assignment, select assign at the bottom of the pane 6\ when all steps are completed, user can normally sign in to account using sso final step to assign user to application auth0 create an auth0 application access the auth0 website dashboard click on applications, then select create application in the create application dialog box, provide a name for your application (e g , my app) choose single page web applications as the application type click the create button create a test user navigate to the left navigation bar and select user management click on users choose + create your first user alternatively, if this is not your initial user, select + create user within the create user dialog box, input the user's email and password click the save button configure saml settings access the left navigation bar and click on applications select the name of the application you previously created go to the addons tab activate the saml2 web app option within the addon saml2 web app dialog box, navigate to the settings tab for the application callback url, input https //auth licensespring com/realms/platform/broker/{company code}/endpoint https //auth licensespring com/realms/platform/broker/{company code}/endpoint please substitute company code with the appropriate value from platform for your company code, under platform settings existing configs with legacy prefixed (do not use for new configs) https // domain name auth region amazoncognito com/saml2/idpresponse under settings, input the following { "mappings" { "user id" "http //schemas xmlsoap org/ws/2005/05/identity/claims/nameidentifier", "email" "http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress", "given name" "http //schemas xmlsoap org/ws/2005/05/identity/claims/givenname", "family name" "http //schemas xmlsoap org/ws/2005/05/identity/claims/surname" }, "nameidentifierformat" "urn\ oasis\ names\ tc\ saml 1 1\ nameid format\ emailaddress", "nameidentifierprobes" \[ "http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress" ] } replace user pool id with the value from your sso settings existing configs with legacy prefixed (do not use for new configs) { "audience" "urn\ amazon\ cognito\ sp user pool id ", "mappings" { "email" "http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress" }, "nameidentifierformat" "urn\ oasis\ names\ tc\ saml 2 0\ nameid format\ persistent" } (optional) choose debug, then log in as the test user you created to confirm that the configuration works choose enable, and then choose save get the idp metadata in the addon saml2 web app dialog box, on the usage tab, find identity provider metadata then do either of the following choose download to download the xml metadata file go back to add sso provider form in the licensespring vendor platform and finish the setup okta create a saml app open the okta developer console in the navigation menu, expand applications, and then choose applications choose create app integration in the create a new app integration menu, choose saml 2 0 as the sign in method choose next configure saml integration on the create saml integration page, under general settings, enter a name for your app choose next under general, for single sign on url, enter https //auth licensespring com/realms/platform/broker/{company code}/endpoint https //auth licensespring com/realms/platform/broker/{company code}/endpoint existing configs with legacy prefixed (do not use for new configs) https //{domain name} auth {region} amazoncognito com/saml2/idpresponse for audience uri (sp entity id), enter https //auth licensespring com/realms/platform/broker/{company code}/endpoint existing configs with legacy prefixed (do not use for new configs) urn\ amazon\ cognito\ sp {user pool id} under attribute statements (optional), add a statement with the following information for name, enter the saml attribute name http //schemas xmlsoap org/ws/2005/05/identity/claims/emailaddress for value, enter user email for all other settings on the page, leave them as their default values or set them according to your preferences choose next choose a feedback response for okta support choose finish assign a user on the assignments tab for your okta app, for assign, choose assign to people choose assign next to the user that you want to assign note if this is a new account, the only option available is to choose yourself (the admin) as the user (optional) for user name, enter a user name, or leave it as the user's email address, if you want choose save and go back your user is assigned choose done get the idp metadata on the sign on tab for your okta app, find the identity provider metadata hyperlink right click the hyperlink, and then copy the url if not found then click view saml setup instructions and save the value from provide the following idp metadata to your sp provider into an xml file go back to add sso provider form in the licensespring vendor platform and finish the setup sp initiated login in order to use the okta dashboard to access licensespring apps directly some changes are needed to the standard setup mentioned below under general, for single sign on url, use https //auth licensespring com/realms/platform/broker/{company code}/endpoint/clients/platform saml uncheck "use this for recipient url and destination url for recipient url, use https //auth licensespring com/realms/platform/broker/{company code}/endpoint for destination url use https //auth licensespring com/realms/platform/broker/{company code}/endpoint/clients/platform saml for audience uri (sp entity id), use https //auth licensespring com/realms/platform/broker/{company code}/endpoint/clients/platform saml openid connect (oidc) integration licensespring platform supports single sign on (sso) via openid connect (oidc) customers may integrate any identity provider that supports the standard authorization code flow, including azure active directory (entra id) okta auth0 google identity this feature allows organizations to authenticate their users using their own identity system, while licensespring handles user provisioning and access control oidc redirect uri every oidc provider must be configured to redirect authentication responses to the following url https //auth licensespring com/realms/platform/broker/{company code}/endpoint replace {company code} with the company code assigned to your organization in licensespring this redirect uri must match exactly in your identity provider configuration google identity (oidc) steps for google go to https //console cloud google com apis & services → credentials create credentials → oauth client id application type web application authorized javascript origins https //auth licensespring com/ add authorized redirect uri https //auth licensespring com/realms/platform/broker/{company code}/endpoint create copy client id client secret ensure oauth consent screen is configured and published metadata url https //accounts google com/ well known/openid configuration origins and redirect uris microsoft azure ad (entra id) steps in azure sign in to azure portal https //portal azure com go to microsoft entra id → app registrations → new registration important note we create app registrations , not enterprise application enter a name (e g , licensespring oidc) supported account types accounts in this organizational directory only add redirect uri (web) https //auth licensespring com/realms/platform/broker/{company code}/endpoint click register copy application (client) id copy directory (tenant) id go to certificates & secrets → new client secret copy generated client secret value go to authentication , confirm redirect uri is present (optional) assign users/groups to the application metadata url https //login microsoftonline com/{tenant id}/v2 0/ well known/openid configuration azure will autofill authorization url token url jwks issuer okta (oidc) steps in okta log in to okta admin go to applications → create app integration sign in method oidc application type web application add sign in redirect uri https //auth licensespring com/realms/platform/broker/{company code}/endpoint sign out redirect uri optional assign application to users/groups copy okta domain client id client secret metadata url https //{okta domain}/oauth2/default/ well known/openid configuration domain example https //dev 12345678 okta com auth0 (oidc) steps in auth0 log in https //manage auth0 com go to applications → applications → create application choose regular web application go to settings add to allowed callback urls https //auth licensespring com/realms/platform/broker/{company code}/endpoint add same value to allowed logout urls (optional) copy domain client id client secret save changes metadata url https //{tenant} auth0 com/ well known/openid configuration example of tenant https //dev 123abc45 auth0 com add callback url https //auth licensespring com/realms/platform/broker/{company code}/endpoint required oidc information all required metadata is in well known openid configuration which you can import, or you can fill it manually configuration steps on platform navigate to platform → settings → single sign on click add sso provider select openid connect (oidc) enter the required fields (client id, client secret, import well known configuration or rarely do it manual) enable (recommended) ✓ create new platform user if it does not exist save the configuration use the sso login on your next signin login using single sign on once you have succesfully added your on identity provider to the licensespring vendor platform sso settings, you can continue logging in to the platform return to the licensespring login page and locate and click on change login method , then sso a prompt will ask for the company code here, enter your company code extracted in the previous steps sso login if you have added the provider correctly and there were not errors during configuration step, you should be logged in to your company account if you require assistance or have custom sso requirements, please contact https //licensespring zendesk com/agent/