Configuring SSO for V‑Spark

Before companies or user accounts can use SSO, it must be enabled at the system level. Enabling SSO requires configuration in two places: V‑Spark's system configuration settings, and configuration settings for the IDP that V‑Spark communicates with for authentication. The topics below apply to all identity providers; the Troubleshooting V‑Spark SSO topic addresses IDP-specific issues that may be encountered while configuring V‑Spark SSO with certain providers.

Required Endpoints for IDP Configuration

Create a client application in the IDP to configure it for communication with V‑Spark. As part of this process, the IDP displays the application's Client ID, Client Secret, and Discovery Endpoint. These are required to configure V‑Spark companies for SSO authentication.

The IDP application requires sign-in and sign-out redirect URIs specific to the V‑Spark system and company that will use SSO. At least one endpoint URL must be provided for each field in the IDP application.

In V‑Spark, resource locations for sign-in and sign-out redirect URIs use the host's external IP address ($HOST_IP) and the company's short name ($CO_SHORTNAME) as shown in the following format:

Sign-in Redirect URI: http:// {$HOST-IP} /login/authenticate/sso/company/callback/ {$CO_SHORTNAME}
Sign-out Redirect URI: http:// {$HOST-IP} /logout/callback

Note: Some identity providers may require HTTPS for redirect URIs.

Note the following information about redirect URI components:

The value for {$HOST-IP} is case-sensitive and must match the value specified in V‑Spark's hostname system configuration setting, which must include the protocol ( http or https).
If an external port must be provided, that port number must match the number specified in the pref_port system configuration setting.
The value for {$CO_SHORTNAME} must match the short name assigned to the V‑Spark company that will use SSO.

SSO-Related System Configuration Settings

The following configuration settings must be specified in V‑Spark's /opt/voci/vspark/config/vspark.config.d/ configuration settings:

login_methods

Specifies all login methods available to the system. Multiple methods may be specified using a comma-separated list. As of version 4.1, the only supported method is OpenID Connect, which is specified with the value oidc.

Example: login_methods=oidc

hostname

Specifies the V‑Spark system URL for external access. The hostname setting is already configured for most V‑Spark installations. Protocol must be included. The value for hostname must match the value configured in the IDP.

Example: hostname=https://3.123.123.123

pref_port

Specifies the V‑Spark port number to be used with the configured hostname described above. The pref_port setting is already configured for most V‑Spark installations. The value for pref_port must match the value configured in the IDP.

Example: pref_port=3000

login_with_sso_link_label

Optional. Specifies the label for the SSO login button on login pages. The default value is Sign in with SSO.

signup_with_sso_link_label

Optional. Specifies the label for the SSO signup button on the signup page. The default value is Sign up with SSO.