Configuring SSO for V‑Spark
Before companies or user accounts can use SSO, it must be enabled at the system level. Enabling SSO requires configuration in two places: V‑Spark's system configuration settings, and configuration settings for the IDP that V‑Spark communicates with for authentication. The topics below apply to all identity providers; the Troubleshooting V‑Spark SSO topic addresses IDP-specific issues that may be encountered while configuring V‑Spark SSO with certain providers.
Required Endpoints for IDP Configuration
Create a client application in the IDP to configure it for communication with V‑Spark. As part of this process, the IDP displays the application's Client ID, Client Secret, and Discovery Endpoint. These are required to configure V‑Spark companies for SSO authentication.
The IDP application requires sign-in and sign-out redirect URIs specific to the V‑Spark system and company that will use SSO. At least one endpoint URL must be provided for each field in the IDP application.
In V‑Spark, resource locations for sign-in and sign-out redirect URIs use the host's external IP address ($HOST_IP) and the company's short name ($CO_SHORTNAME) as shown in the following format:
- Sign-in Redirect URI
-
http:// {$HOST-IP} /login/authenticate/sso/company/callback/ {$CO_SHORTNAME}
- Sign-out Redirect URI
-
http:// {$HOST-IP} /logout/callback
Note the following information about redirect URI components:
-
The value for {$HOST-IP} is case-sensitive and must match the value specified in V‑Spark's
hostname
system configuration setting, which must include the protocol (http
orhttps
). -
If an external port must be provided, that port number must match the number specified in the
pref_port
system configuration setting. -
The value for {$CO_SHORTNAME} must match the short name assigned to the V‑Spark company that will use SSO.
SSO-Related System Configuration Settings
The following configuration settings must be specified in V‑Spark's
/opt/voci/vspark/config/vspark.config.d/
configuration settings:
- login_methods
-
Specifies all login methods available to the system. Multiple methods may be specified using a comma-separated list. As of version 4.1, the only supported method is OpenID Connect, which is specified with the value
oidc
.Example:
login_methods=oidc
- hostname
-
Specifies the V‑Spark system URL for external access. The
hostname
setting is already configured for most V‑Spark installations. Protocol must be included. The value forhostname
must match the value configured in the IDP.Example:
hostname=https://3.123.123.123
- pref_port
-
Specifies the V‑Spark port number to be used with the configured
hostname
described above. Thepref_port
setting is already configured for most V‑Spark installations. The value forpref_port
must match the value configured in the IDP.Example:
pref_port=3000
- login_with_sso_link_label
-
Optional. Specifies the label for the SSO login button on login pages. The default value is
Sign in with SSO
. - signup_with_sso_link_label
-
Optional. Specifies the label for the SSO signup button on the signup page. The default value is
Sign up with SSO
.