What is Single Sign-On?
SSO functions as a session and user authentication service that enables the end-user to make use of a set of login attributes. It can function as a single login to access a multitude of applications.
SSO is useful for enterprises, smaller organizations, and individuals. As it provides an easy solution for managing a plethora of usernames and passwords.
How does it work?
SSO is considered as a Federated Identity Management (FIM) arrangement, the use of such a system is called Identity Federation.
OAuth: stands for Open Authorization. Which is the framework that warrants the end user’s account details can be utilized by third parties, such as Facebook, without forwarding the login data to the third-party service provider.
OAuth functions as an intercessor on behalf of the end user by providing a token that grants the third-party access specific details that can be shared. When the end user wishes to retrieve access to the platform from the provider, the service provider will notify the identity provider for authentication.
Finally the service provider will confirm the authentication and enable the access to the user.
How to integrate SSO with Sparkcentral?
In the next section a step by step integration of 4 different SSOs is explained. These are the following:
- SSO while using Onelogin
- SSO while using Microsoft Azure Active Directory
- SSO while using Google
- SSO while using Okta
Other SSO methods that make use of similar methods are similar to integrate as these 4.
Login as Administrator on Onelogin. Open the Applications tab and click on ‘Add App’.
Search for SAML Test and select “SAML Test Connector (Advanced)”.
Enter a name, logo and description and click on Save.
Now open the Sparkcentral Single Sign-On settings, and copy the values to the configuration section in Onelogin as follow:
Select “Service Provider” as the SAML initiator and “AES-256-CBC” as the SAML encryption method.
Open the parameters section and add a custom parameter.
Copy the Email Address Claim Name to the Field name.
Select Email as the value and make sure to select “Include in SAML assertion”.
Click on “More Actions” and select “SAML Metadata”. This will download an XML-file needed in the next steps.
Now you can assign the application to the users inside the users tab.
Open the Sparkcentral Single Sign-On settings and upload the metadata that you acquired in Step 9.
Select ‘Enable Single Sign-On’ and ‘Enable Single Logout’ and click on Save.
In the Sparkcentral user section, create/edit a user with the same email address as on Onelogin with SSO enabled.
Upon logging in, the user will be redirected to Onelogin.
Microsoft Azure Active Directory
In Microsoft Azure, go to Azure Directory, Enterprise Applications, and click on “+ New Application”.
Select non-gallery application.
Add users/groups that should have access to Sparkcentral in Users and Groups:
- Set icon in properties.
- Go to Single Sign-On, and select SAML.
In Sparkcentral go to Settings < Privacy & Security < Single Sign-On, and download Service Provider Metadata XML.
Upload it to the SAML page in Azure.
Microsoft Azure will show a pop up with the Basic SAML configuration.
Entity ID and Reply URL will be filled in.
Copy paste Sign on URL and logout URL from Sparkcentral to Microsoft Azure. Click Save.
If Microsoft Azure asks you to test, select no. The configuration is not finished yet.
In Microsoft Azure, download the Federation Metadata XML, and upload it to Sparkcentral.
In Microsoft Azure, click on User Attributes and Claims.
Make sure the claim name in Sparkcentral matches the claim that contains the email of the users.
The email address will be used to match users in your enterprise with the users in Sparkcentral.
Go to Sparkcentral, select “Enable “Single Sign-On”. Click yes to confirm.
You can optionally enable Single logout. When users click the logout link in Sparkcentral, they will simultaneously get logged out of Microsoft Azure. Click Save.
In contrast to the Admins, every agent will be automatically switched to use SSO.
It is recommended to leave at least 1 Admin to continue using username/password + MFA (Multi Factor Authentication). In case something gets adjusted in SSO configuration, this Admin user will still be able to login and fix any configuration issues.
In the next screen, click on SAML apps
Click on “Add a Service/App to your domain.”
Click on “SETUP MY OWN CUSTOM APP”.
Download the IDP metadata and store it for later. After this click on Next.
Fill in an application name (e.g. Sparkcentral) and description and upload a logo.
After this click on Next.
Navigate to Sparkcentral Settings < Privacy & Security < Single Sign-On and copy the values as indicated below.
Make sure to select “Signed Response” and to select “EMAIL” as Name ID Format.
Then click on Next.
Now, add an attribute as shown below.
Fill in the value from the Sparkcentral settings screen and select “Basic Information” & “Primary Email” as value. Click on Finish.
Now re-open the SAML app page (Step 1 & 2). Click on the 3 dots next to your app and select “ON for everyone”.
Now upload the metadata you have downloaded in Step 5 to Sparkcentral and Enable Single Sign-On & Single Logout.
Now you can create a user in Sparkcentral (using the google account email address) and enable SSO.
From now on if the user signs in with the provided email address, the user will be redirected to Google.
Open Okta as an Administrator and open the applications tab. Click on “Add Application”.
Click on “Create New App”.
Select “Web” as platform and “SAML 2.0” as Sign on method.
Fill in an App name. Check “Do not display applications to users” and click on “Next”.
We will create another bookmark application for users to click on in Okta.
Open the Sparkcentral Single Sign-On settings and copy the values as indicated (click on “Show Advanced Settings”).
Select “Email” as Application username and “user.email” as property value. Click on “Next”.
Select “I am an Okta customer adding an internal app” and “This is an internal app that we have created”.
Click on “Finish”.
Right click “Identity Provider metadata” and select “Save Link As…” and save it as a xml-file.
Now we can assign the application to each user.
Click on Assign.
Confirm the email address.
Now open the Sparkcentral Single Sign-On settings and upload the xml-file that you downloaded in Step 7.
Select “Enable Single Sign-On” and click on “Save”.
Now create a user in Sparkcentral with the same email address as on Okta and enable SSO.
The user will now be redirected to Okta when user logs in.
To allow a user to click on a button in Okta to open Sparkcentral, we need to create another application in Okta. Click on “Add application”, look for ‘Bookmark App’, and add Bookmark app.
Fill in the application name, and copy the sign-on url
Assign the same users ( or use a group for both applications to ease management), and update the logo.
You are now able to login from the Okta dashboard.