Configuring SSO for V‑Spark

Before companies or user accounts can use SSO, it must be enabled at the system level. Enabling SSO requires configuration in two places: V‑Spark's system configuration settings, and configuration settings for the IDP that V‑Spark communicates with for authentication. The topics below apply to all identity providers; the Troubleshooting V‑Spark SSO topic addresses IDP-specific issues that may be encountered while configuring V‑Spark SSO with certain providers.

Required Endpoints for IDP Configuration

Create a client application in the IDP to configure it for communication with V‑Spark. As part of this process, the IDP displays the application's Client ID, Client Secret, and Discovery Endpoint. These are required to configure V‑Spark companies for SSO authentication.

The IDP application requires sign-in and sign-out redirect URIs specific to the V‑Spark system and company that will use SSO. At least one endpoint URL must be provided for each field in the IDP application.

In V‑Spark, resource locations for sign-in and sign-out redirect URIs use the host's external IP address ($HOST_IP) and the company's short name ($CO_SHORTNAME) as shown in the following format:

Redirect URI

http:// {$HOST-IP} /login/authenticate/sso/company/callback/ {$CO_SHORTNAME}

Sign-out Redirect URI

http:// {$HOST-IP} /logout/callback

Note: Some identity providers may require HTTPS for redirect URIs.

Note the following information about redirect URI components:

  • The value for {$HOST-IP} is case-sensitive and must match the value specified in V‑Spark's hostname system configuration setting, which must include the protocol ( http or https ).

  • If an external port must be provided, that port number must match the number specified in the pref_port system configuration setting.

  • The value for {$CO_SHORTNAME} must match the short name assigned to the V‑Spark company that will use SSO.