SSO-Enabled Companies

Before companies or user accounts can use single sign-on (SSO) authentication, it must be enabled at the system level. Refer to Configuring SSO for V‑Spark for detailed steps on SSO system configuration. Once enabled for the system, SSO can be enabled for individual companies as described in Configuring SSO for a Company.

A company in an SSO-enabled system is not required to use SSO. Similarly, user accounts associated with an SSO-enabled company may still use username-password authentication, although the authentication method cannot be changed for an existing account. Additionally, some account functionality and profile fields are disabled when the account uses SSO. Refer to SSO-Enabled User Accounts for more information.

Configuring SSO for a Company

Before configuring a V‑Spark company to use SSO authentication, ensure that the appropriate system and IDP configuration settings are in place. Additionally, configuring SSO for a company requires using the Client ID, Client Secret, and Discovery Endpoint obtained while configuring the IDP application. Some IDPs use unique parameters for each of multiple applications on the same SSO implementation, and this may affect the parameters required for company configuration. Refer to Configuring SSO for V‑Spark for more information on configuring SSO at the system level.

To enable or configure SSO authentication for a company, enable the Enable SSO via OpenID option shown in the Create New or Update Company dialogs as described in Create or modify a company and shown in the following example:

When the SSO option is enabled in the Create or Update dialogs, the third page displays the fields shown in the following example:

SSO Protocol

This field is not configurable because V‑Spark supports only the OpenID Connect (OIDC) SSO protocol. The field is displayed for clarity and to show any other protocols included with future versions.

Client ID

The V‑Spark client identifier to be used for OpenID communication with the identity provider (IDP). The value for Client ID is provided by the IDP.

Client Secret

The secret associated with the Client ID used to prove the client's identity to the IDP. The value for Client Secret is provided by the IDP.

Use Discovery Endpoint

A discovery endpoint returns a JSON object containing advanced configuration endpoints required for communication with the IDP. Use Discovery Endpoint is enabled by default. Disabling the Use Discovery Endpoint option displays several specific endpoint fields that must be entered manually for successful communication with the IDP. Using the discovery endpoint is strongly recommended to minimize configuration issues.

Every IDP uses its own requirements and syntax for base URLs and endpoints. Refer to your IDP's documentation for the location and construction of its discovery endpoint.

Discovery Endpoint

Returns a JSON object containing advanced configuration endpoints required for communication with the IDP. The value for Discovery Endpoint is provided by the IDP.

If not using a discovery endpoint, the endpoints in the following list must be specified manually:

Note: These fields are provided by the IDP, though some IDPs only provide them in the JSON object returned from the discovery endpoint.
IDP Issuer

Root URL for the IDP.

Introspection Endpoint

URL for IDP endpoint that returns information about the security token.

JWKS URI

URL for IDP endpoint that returns the JSON Web Key Set object used to verify security signatures in OIDC.

Authorization Endpoint

URL for IDP endpoint that is used to interact with the resource owner and to obtain an authorization grant.

Token Endpoint

URL for IDP endpoint that returns access and ID tokens when presented with authorization grants or refresh tokens.

UserInfo Endpoint

URL for IDP endpoint that returns user profile information when presented with an access token.

End Session Endpoint

URL for IDP endpoint that ends the IDP session associated with the ID token.