User portal SSO
LicenseSpring supports two main end-user authentication scenarios:
1. User Portal SSO
The User Portal is a hosted interface provided by LicenseSpring where end users can:
- View and manage their licenses
- Access self-service tools (e.g., license transfers, device resets)
With SSO enabled, users can sign in to this portal using their organization’s identity provider, without needing separate LicenseSpring credentials.
2. License Activation via SSO
When SSO is enabled for license activation, end users authenticate with your IdP before activating a license. This ensures licenses are securely tied to verified user identities, and that only authorized users can activate or use your software.
This method is supported via the LicenseSpring SDKs and API, and is particularly useful for:
- Subscription-based licensing models
- User based licensing
- Restricting license access to organizational members
The next section explains how to access and configure SSO settings for these scenarios within the LicenseSpring Vendor Platform.
Please note that license users SSO (Single Sign On) is only available on Enterprise plan. It allows using Single Sign On method for license activation.
LicenseSpring supports end-user Single Sign-On (SSO) through Customer Accounts, allowing software vendors to authenticate users within the context of a specific customer organization.
Each Customer Account can be linked to its own identity provider (IdP), enabling tailored SSO configurations for different enterprise clients. By associating SSO with Customer Accounts, LicenseSpring ensures that license access and portal authentication are securely scoped to the correct organization.
Follow the steps below to access the SSO configuration view:
- Log in to the Vendor Platform
- Navigate to Customer Accounts
- On your sidebar menu select Customers and then Customer accounts
- Here, you can either select an existing customer account from the list or create a new one using the Add new account button.
- Select the “Single Sign On” Tab
- After you have created or selected existing customer account, visit its Single Sing On settings tab.
- In this section, you have the option to activate SSO and gather any necessary data to ensure its seamless setup and operation.
- Click “Add Provider”
- To begin the integration process, click on the “Add Provider” button.
- You will be prompted to enter details based on your IdP’s protocol (SAML or OIDC).

Depending on your selected Identity Provider, you will have to submit following informations:
- Name and .xml provider metadata file for SAML providers.
- Name, Client ID and Client secret for Google identity provider.
- Service ID, Key ID, Team ID and .p8 key file for Apple identity provider.
You can use only one provider at time, if you wish to switch to another, first delete old one then follow our setup guide to add specific new provider.

LicenseSpring automatically links accounts if the email in our system matches the email from the IdP. If no match is found, the user is presented with a login prompt to link their existing LicenseSpring account.
The settings toggle Require email verification on first SSO login can be enabled to require email verification before linking an account.
If the Account Linking and Verification toggle is ON, then when you create a user, they must verify their email before they can log in. If the toggle is OFF, email verification is not required for the user to log in. For platform users, email verification is always required due to account sensitivity.
Instructions on how to register your application to acquire required informations are described below.
When configuring SSO for license activation, the redirect_uri should be a local endpoint within your application that is capable of receiving and processing the authentication response from your identity provider. This URI must be registered with the IdP and securely handle the token or authorization code required to complete the sign-in and license activation flow
redirect_uri is only relevant for applications that use the SDK and allow licensed users to use SSO instead of email/password for authentication. Otherwise, everything else redirects back to the user portal.
You will need Company code to succesfully register your application in your identity provider dashboard. To find your company code, follow the next steps:
- Inside LicenseSpring vendor platform navigate to Settings--> Preferences
- Pay attention to the Company code field. In this case Company code is DSE2

You will also need Customer account code to succesfully register your application in your identity provider dashboard. To find the correct customer account code, follow the next steps:
- Inside LicenseSpring vendor platform navigate to the Customer Account page for which you want to setup SSO
- Pay attention to the code field. In this case Customer Account code is test678

Before setting up a social IdP, it's necessary to register your application with the respective IdP to acquire a client ID and client secret.
- Create a New Project:
- Click on the project dropdown at the top left.
- Select "New Project".
- Name your project (e.g., Google) and click "Create".
-
- Set Up OAuth Consent Screen:
- Navigate to the "OAuth consent screen" tab.
- Select "External" and click "Create".
- Fill in the required fields such as "Application name" and "User support email".
- Configure Scopes: Include Scopes like:
- .../auth/userinfo.email,
- .../auth/userinfo.profile,
- openid
- Continue to Test users settings and save.
- add test users inside the application:
-
- Create OAuth 2.0 Credentials:
- Go to the "Credentials" tab.
- Click "Create Credentials" and select "OAuth 2.0 Client ID".
- Select "Web application".
- Provide a name for the OAuth client (e.g., MyClient)
- Add <domain> for our platform to Authorized JavaScript origins
- and you can also add here second one but not required to work:
- In the "Authorized redirect URIs" section, add the redirect URL:
- https://<domain>/realms/<realm>/broker/{COMPANY_CODE}-{CUSTOMER_ACCOUNT_CODE}/endpoint
- Click "Create".
- Save Your Credentials:
- Once created, you will be provided with a Client ID and Client Secret.
- Copy and save these credentials. You will need them to configure your application to use Google SSO inside the platform.
- Go back to Add SSO Provider form in the LicenseSpring vendor platform and finish the setup.
- Create an Apple Developer Account:
- If you don't have an Apple Developer account, you will need to create one and enroll in the Apple Developer Program.
- Create a New App ID:
- Under Identifiers, click the "+" button to create a new App ID.
- Choose "App IDs" and click "Continue".
- Enter a description and a bundle ID (e.g., keycloak)
- Under "Capabilities", enable "Sign in with Apple".
- Click "Continue" and then "Register".
- Enable as a primary App ID on configuration of Sign in with Apple.
-
- Create a Service ID:
- Still under "Identifiers", click the "+" button to create a new Service ID.
- Select "Service IDs" and click "Continue".
- Enter a description and an identifier (e.g., keycloak-service)
- Click "Continue" and then "Register".
- After creating the Service ID, click on it to edit it.
- Enable "Sign in with Apple" and configure the Return URLs to: https://auth.licensespring.com/realms/user-portal/broker/{COMPANY_CODE}-{CUSTOMER_ACCOUNT_CODE}/endpoint
- and add Domains and Subdomains for our platform( without http:// or https://) to:
-
- Add the primary App ID created earlier as the Primary App ID.
- Click "Save".
- Create a Key for Apple Sign-In:
- Navigate to "Keys" and click the "+" button to create a new key.
- Enable "Sign in with Apple" and click "Configure".
- Select the Primary App ID and click "Save".
- Click "Continue" and then "Register".
- Download the key file it will have a .p8 extension) and save it securely. You will not be able to download it again.
- Get Your Team ID and Key ID
- Note down your Team ID from your Apple Developer account.
- Note down the Key ID from the key details.
- Note down service identifier as mentioned before in step 4. : keycloak-service
- Have your key file ready to upload it on platform.
- Go back to Add SSO Provider form in the LicenseSpring vendor platform and finish the setup.
When you create new APP ID, it may take up to few hours to apply changes.
- Add an enterprise application.
- Create your own application, input name, and select non-gallery option.
- Opt for single sign-on > SAML.
- Set up single sign on
- Edit Basic SAML Configuration:
- Reply URL (Assertion Consumer Service URL): https://auth.licensespring.com/realms/user-portal/broker/{COMPANY_CODE}-{CUSTOMER_ACCOUNT_CODE}/endpoint
- Save and close the settings.
- Under Attributes & Claims please set if not selected Unique User Identifier(Name ID) to user.mail:

- We are using the email as the NameID. If the UserPrincipalName (UPN) is not the user’s
- primary email in the platform, it should be updated accordingly. This is important as some users may have multiple email aliases, which could result in pulling the incorrect email.
- Download Federation Metadata XML.
- Provide us with your provider's name and the downloaded metadata in .xml format.
- Go back to Add SSO Provider form in the LicenseSpring vendor platform and finish the setup.
Error: A common Azure DB provider SSO error is shown in the screenshot below:

To resolve this error, follow these steps:
- In the Azure Active Directory Admin Center, select your app and then search for and select the application to which you want to assign the user account.
- In the left pane select Users and Groups and then select Add User/Group.


3. On the Add Assignment pane, select None Selected under Users and Groups
4. Search for and select the user that you want to assign to the application, select Select
5. On the Add Assignment, select Assign at the bottom of the pane
6. When all steps are completed, user can normally sign in to account using SSO.

For SAML we use the Name ID format emailaddress.
Upload the downloaded .xml file by choosing SAML for AuthO and confirm to add it.
Go back to Add SSO Provider form in the LicenseSpring vendor platform and finish the setup.
- Click on Applications, then select Create Application.
- In the Create Application dialog box, provide a name for your application (e.g., My App).
- Choose Single Page Web Applications as the application type.
- Click the Create button.
Create Test user
- Navigate to the left navigation bar and select User Management.
- Click on Users.
- Choose + Create Your First User. Alternatively, if this is not your initial user, select + Create User.
- Within the Create user dialog box, input the user's email and password.
- Click the Save button.
Configure SAML Settings
- Access the left navigation bar and click on Applications.
- Select the name of the application you previously created.
- Go to the Addons tab.
- Activate the SAML2 Web App option.
- Within the Addon: SAML2 Web App dialog box, navigate to the Settings tab.
- For the Application Callback URL, input:
- https://<domain>/realms/<realm>/broker/{COMPANY_CODE}-{CUSTOMER_ACCOUNT_CODE}/endpoint
- Please substitute company code and customer account code with the appropriate values from platform for your company_code and customer_account_code, Single Sign-On (SSO) settings.
- Under Settings, input the following and leave it empty: {}
- For minimal Settings to configure email as the NameID, you can use the following configuration:
- { "mappings": { "email": "Email" }, "nameIdentifierProbes": [ "Email" ] }
- [Optional] Choose Debug, then log in as the test user you created to confirm that the configuration works.
- Choose Enable, and then choose Save.
- In the Addon: SAML2 Web App dialog box, on the Usage tab, find Identity Provider Metadata. Then do either of the following:
- Choose download to download the .xml metadata file.
- Go back to Add SSO Provider form in the LicenseSpring vendor platform and finish the setup.
- In the navigation menu, expand Applications, and then choose Applications.
- Choose Create App Integration.
- In the Create a new app integration menu, choose SAML 2.0 as the Sign-in method.
- Choose Next.
- On the Create SAML Integration page, under General Settings, enter a name for your app.
- Choose Next.
Configure SAML Integration
- Under GENERAL, for Single sign on URL:
- For Audience URI (SP Entity ID), enter:
- For SAML Settings choose if not selected NameID Format EmailAddress - it's located on General tab under the application
- For all other settings on the page, leave them as their default values or set them according to your preferences.
- Choose Next.
- Choose a feedback response for Okta Support.
- Choose Finish.

Assign a User
- On the Assignments tab for your Okta app, for Assign, choose Assign to People.
- Choose Assign next to the user that you want to assign. Note: If this is a new account, the only option available is to choose yourself (the admin) as the user.
- (Optional) For User Name, enter a user name, or leave it as the user's email address, if you want.
- Choose Save and Go Back. Your user is assigned.
- Choose Done.
Get the IdP Metadata
- On the Sign On tab for your Okta app, find the Identity Provider metadata hyperlink.
- Right-click the hyperlink, and then copy the URL.
- If not found then click View SAML setup instructions and save the value from Provide the following IDP metadata to your SP provider into an .xml file.
For SAML we use the Name ID format emailaddress.
Upload the downloaded .xml file by choosing SAML for AuthO and confirm to add it.
Go back to Add SSO Provider form in the LicenseSpring vendor platform and finish the setup.
Once you have succesfully added your identity provider to the customer account SSO settings, every license user and license manager assigned to this customer account can continue logging in to the user portal.
User portal URL: https://users.licensespring.com
The SSO login process is the same as for the vendor platform SSO. On a login screen click the Change Login Method button and select Single Sign-on (SSO).
A prompt will ask for the customer account code and company code. Here, enter those codes you extracted in previous steps.

For Enterprise accounts, we host user portal on company code subdomain.This subdomain provides a streamlined experience by removing the requirement for users to manually input their company code during the login process to our user portal.
If you are an Enterprise user, you can access it via: https://{company_code}.users.licensespring.com
By navigating to the custom subdomain (e.g., https://company_code.users.licensespring.com), users are automatically linked to their respective customer accounts, and they do not need to input customer code - thus simplifying the SSO login flow and enhancing user convenience.

If you plan to use the License API directly to authenticate users using Single Sign-on instead of username/password you need to follow next steps.
The /api/v4/sso_url endpoint will return the URL where your hosted login UI will be served. To create the correct URL you need to use customer_account_code of the customer account for which the user pool and providers have been created and the product_short_code of the product defined in LicenseSpring.
Details for this endpoint are written in the Single Sign-On URL page. Use the URL from the response to open the hosted UI through which your users can login.
After successful login on the hosted UI, users will be redirected to the URL from redirect_uri field. Attached to this page URL you will receive some query parameters, of which the most important is the id_token or code if you are using authorization code grant described in more detail on the Single Sign-On URL page.
Along with the customer_account_code this field needs to be sent to the Activate License (Online Method) endpoint. License user needs to be assigned before that to the license which is being activated.
Our SDKs support SSO license activation natively. Check more details here.
If you require assistance or have custom SSO requirements, please contact LicenseSpring Support.