User portal SSO

licensespring supports two main end user authentication scenarios 1\ user portal sso the user portal is a hosted interface provided by licensespring where end users can view and manage their licenses access self service tools (e g , license transfers, device resets) with sso enabled, users can sign in to this portal using their organization’s identity provider, without needing separate licensespring credentials 2\ license activation via sso when sso is enabled for license activation, end users authenticate with your idp before activating a license this ensures licenses are securely tied to verified user identities, and that only authorized users can activate or use your software this method is supported via the licensespring sdks and api, and is particularly useful for subscription based licensing models user based licensing restricting license access to organizational members the next section explains how to access and configure sso settings for these scenarios within the licensespring vendor platform please note that license users sso (single sign on) is only available on enterprise plan it allows using single sign on method for license activation setup single sign on licensespring supports end user single sign on (sso) through customer accounts , allowing software vendors to authenticate users within the context of a specific customer organization each customer account can be linked to its own identity provider (idp), enabling tailored sso configurations for different enterprise clients by associating sso with customer accounts, licensespring ensures that license access and portal authentication are securely scoped to the correct organization follow the steps below to access the sso configuration view log in to the vendor platform go to https //saas licensespring com and sign in with your admin credentials navigate to customer accounts on your sidebar menu select customers and then customer accounts here, you can either select an existing customer account from the list or create a new one using the add new account button select the “single sign on” tab after you have created or selected existing customer account, visit its single sing on settings tab in this section, you have the option to activate sso and gather any necessary data to ensure its seamless setup and operation click “add provider” to begin the integration process, click on the “add provider” button you will be prompted to enter details based on your idp’s protocol (saml or oidc) depending on your selected identity provider, you will have to submit following informations name and xml provider metadata file for saml providers name , client id and client secret for google identity provider service id , key id , team id and p8 key file for apple identity provider you can use only one provider at time, if you wish to switch to another, first delete old one then follow our setup guide to add specific new provider account linking and verification licensespring automatically links accounts if the email in our system matches the email from the idp if no match is found, the user is presented with a login prompt to link their existing licensespring account the settings toggle require email verification on first sso login can be enabled to require email verification before linking an account if the account linking and verification toggle is on , then when you create a user, they must verify their email before they can log in if the toggle is off , email verification is not required for the user to log in for platform users, email verification is always required due to account sensitivity instructions on how to register your application to acquire required informations are described below redirect uri when configuring sso for license activation, the redirect uri should be a local endpoint within your application that is capable of receiving and processing the authentication response from your identity provider this uri must be registered with the idp and securely handle the token or authorization code required to complete the sign in and license activation flow redirect uri is only relevant for applications that use the sdk and allow licensed users to use sso instead of email/password for authentication otherwise, everything else redirects back to the user portal extracting the company code you will need company code to succesfully register your application in your identity provider dashboard to find your company code, follow the next steps inside licensespring vendor platform navigate to settings > preferences pay attention to the company code field in this case company code is dse2 extracting the customer account code you will also need customer account code to succesfully register your application in your identity provider dashboard to find the correct customer account code, follow the next steps inside licensespring vendor platform navigate to the customer account page for which you want to setup sso pay attention to the code field in this case customer account code is test678 integrating social identity providers before setting up a social idp, it's necessary to register your application with the respective idp to acquire a client id and client secret google create a developer account with google if you haven't already access the oauth consent screen page create a new project click on the project dropdown at the top left select "new project" name your project (e g , google) and click "create" set up oauth consent screen navigate to the "oauth consent screen" tab select "external" and click "create" fill in the required fields such as "application name" and "user support email" configure scopes include scopes like /auth/userinfo email, /auth/userinfo profile, openid continue to test users settings and save add test users inside the application create oauth 2 0 credentials go to the "credentials" tab click "create credentials" and select "oauth 2 0 client id" select "web application" provide a name for the oauth client (e g , myclient) add \<domain> for our platform to authorized javascript origins e g auth licensespring com and you can also add here second one but not required to work users licensespring com in the " authorized redirect uris " section, add the redirect url https //\<domain>/realms/\<realm>/broker/{company code} {customer account code}/endpoint e g https //auth licensespring com/realms/user portal/broker/tbc ssoacc/endpoint click "create" save your credentials once created, you will be provided with a client id and client secret copy and save these credentials you will need them to configure your application to use google sso inside the platform go back to add sso provider form in the licensespring vendor platform and finish the setup apple go to the apple developer console visit apple developer console create an apple developer account if you don't have an apple developer account, you will need to create one and enroll in the apple developer program create a new app id navigate to " certificates, identifiers & profiles " under identifiers, click the "+" button to create a new app id choose "app ids" and click "continue" enter a description and a bundle id (e g , keycloak) under "capabilities", enable "sign in with apple" click "continue" and then "register" enable as a primary app id on configuration of sign in with apple create a service id still under "identifiers", click the "+" button to create a new service id select "service ids" and click "continue" enter a description and an identifier (e g , keycloak service ) click "continue" and then "register" after creating the service id, click on it to edit it enable "sign in with apple" and configure the return urls to https //auth licensespring com/realms/user portal/broker/{company code} {customer account code}/endpoint e g https //auth licensespring com/realms/user portal/broker/tbc tas/endpoint and add domains and subdomains for our platform( without http // or https //) to auth licensespring com add the primary app id created earlier as the primary app id click "save" create a key for apple sign in navigate to "keys" and click the "+" button to create a new key enable "sign in with apple" and click "configure" select the primary app id and click "save" click "continue" and then "register" download the key file it will have a p8 extension) and save it securely you will not be able to download it again get your team id and key id note down your team id from your apple developer account note down the key id from the key details note down service identifier as mentioned before in step 4 keycloak service have your key file ready to upload it on platform go back to add sso provider form in the licensespring vendor platform and finish the setup when you create new app id, it may take up to few hours to apply changes incorporating saml identity providers azure active directory access azure portal and choose enterprise applications add an enterprise application create your own application, input name, and select non gallery option opt for single sign on > saml set up single sign on edit basic saml configuration identifier (entity id) https //auth licensespring com/realms/user portal reply url (assertion consumer service url) https //auth licensespring com/realms/user portal/broker/{company code} {customer account code}/endpoint e g https //auth licensespring com/realms/user portal/broker/tbc tas/endpoint save and close the settings under attributes & claims please set if not selected unique user identifier(name id) to user mail we are using the email as the nameid if the userprincipalname (upn) is not the user’s primary email in the platform, it should be updated accordingly this is important as some users may have multiple email aliases, which could result in pulling the incorrect email download federation metadata xml provide us with your provider's name and the downloaded metadata in xml format go back to add sso provider form in the licensespring vendor platform and finish the setup error a common azure db provider sso error is shown in the screenshot below to resolve this error, follow these steps in the azure active directory admin center , select your app and then search for and select the application to which you want to assign the user account in the left pane select users and groups and then select add user/group 3\ on the add assignment pane, select none selected under users and groups 4\ search for and select the user that you want to assign to the application, select select 5\ on the add assignment, select assign at the bottom of the pane 6\ when all steps are completed, user can normally sign in to account using sso for saml we use the name id format emailaddress upload the downloaded xml file by choosing saml for autho and confirm to add it go back to add sso provider form in the licensespring vendor platform and finish the setup auth0 access the autho website dashboard click on applications, then select create application in the create application dialog box, provide a name for your application (e g , my app) choose single page web applications as the application type click the create button create test user navigate to the left navigation bar and select user management click on users choose + create your first user alternatively, if this is not your initial user, select + create user within the create user dialog box, input the user's email and password click the save button configure saml settings access the left navigation bar and click on applications select the name of the application you previously created go to the addons tab activate the saml2 web app option within the addon saml2 web app dialog box, navigate to the settings tab for the application callback url, input https //\<domain>/realms/\<realm>/broker/{company code} {customer account code}/endpoint please substitute company code and customer account code with the appropriate values from platform for your company code and customer account code, single sign on (sso) settings under settings , input the following and leave it empty {} for minimal settings to configure email as the nameid , you can use the following configuration { "mappings" { "email" "email" }, "nameidentifierprobes" \[ "email" ] } \[optional] choose debug, then log in as the test user you created to confirm that the configuration works choose enable, and then choose save in the addon saml2 web app dialog box, on the usage tab, find identity provider metadata then do either of the following choose download to download the xml metadata file go back to add sso provider form in the licensespring vendor platform and finish the setup okta open the okta developer console in the navigation menu, expand applications, and then choose applications choose create app integration in the create a new app integration menu, choose saml 2 0 as the sign in method choose next on the create saml integration page, under general settings, enter a name for your app choose next configure saml integration under general, for single sign on url https //auth licensespring com/realms/user portal/broker/{company code} {customer account code}/endpoint e g https //auth licensespring com/realms/user portal/broker/tbc tas/endpoint for audience uri (sp entity id) , enter https //auth licensespring com/realms/user portal/broker/{company code} {customer account code}/endpoint e g https //auth licensespring com/realms/user portal/broker/tbc tas/endpoint for saml settings choose if not selected nameid format emailaddress it's located on general tab under the application for all other settings on the page, leave them as their default values or set them according to your preferences choose next choose a feedback response for okta support choose finish assign a user on the assignments tab for your okta app , for assign, choose assign to people choose assign next to the user that you want to assign note if this is a new account, the only option available is to choose yourself (the admin) as the user (optional) for user name, enter a user name, or leave it as the user's email address, if you want choose save and go back your user is assigned choose done get the idp metadata on the sign on tab for your okta app , find the identity provider metadata hyperlink right click the hyperlink, and then copy the url if not found then click view saml setup instructions and save the value from provide the following idp metadata to your sp provider into an xml file for saml we use the name id format emailaddress upload the downloaded xml file by choosing saml for autho and confirm to add it go back to add sso provider form in the licensespring vendor platform and finish the setup login in to the user portal using sso once you have succesfully added your identity provider to the customer account sso settings, every license user and license manager assigned to this customer account can continue logging in to the user portal user portal url https //users licensespring com https //users licensespring com the sso login process is the same as for the vendor platform sso on a login screen click the change login method button and select single sign on (sso) a prompt will ask for the customer account code and company code here, enter those codes you extracted in previous steps sso login without subdomain user portal subdomains for enterprise accounts for enterprise accounts , we host user portal on company code subdomain this subdomain provides a streamlined experience by removing the requirement for users to manually input their company code during the login process to our user portal if you are an enterprise user, you can access it via https //{company code} users licensespring com by navigating to the custom subdomain (e g , https //company code users licensespring com ), users are automatically linked to their respective customer accounts, and they do not need to input customer code thus simplifying the sso login flow and enhancing user convenience license api authentication if you plan to use the license api directly to authenticate users using single sign on instead of username/password you need to follow next steps get single sign on hosted ui url the /api/v4/sso url endpoint will return the url where your hosted login ui will be served to create the correct url you need to use customer account code of the customer account for which the user pool and providers have been created and the product short code of the product defined in licensespring details for this endpoint are written in the single sign on url docid\ qbjwnphsdcs0l25uw6ptq page use the url from the response to open the hosted ui through which your users can login extract the id token or code from the redirect url and activate the license after successful login on the hosted ui, users will be redirected to the url from redirect uri field attached to this page url you will receive some query parameters, of which the most important is the id token or code if you are using authorization code grant described in more detail on the single sign on url docid\ qbjwnphsdcs0l25uw6ptq page along with the customer account code this field needs to be sent to the activate license (online method) docid\ mt2ygm6cjzh2bumu gfww endpoint license user needs to be assigned before that to the license which is being activated our sdks support sso license activation natively check more details here if you require assistance or have custom sso requirements, please contact licensespring support