SSO-Enabled User Accounts

Before user accounts can use single sign-on (SSO) authentication, SSO must be enabled at the system level and for at least one company. Refer to Configuring SSO for V‑Spark and Configuring SSO for a Company for more information.

Once SSO is enabled, SSO-enabled user accounts can be created and requested in the same ways as non-SSO accounts. Standard procedures for these methods are described in Create a user account. Note the following before specifying profile fields when creating SSO accounts:

Important:

V‑Spark uses the email address associated with a user's SSO IDP account to authenticate that user. As a result, any V‑Spark SSO user must have an IDP account with an email address specified.

When administrators create or end-users request a user account, the address specified in the Email field must be identical to the email address associated with the user's SSO IDP account.

  • If the Full Name and Username fields are neither specified when the account is created nor populated by the IDP, they will be assigned the same value as the Email field. Whichever value is supplied first will be assigned to the user profile. When an account is created by an administrator, all fields must be supplied by the administrator. When an account is requested using the Sign Up with SSO button or created by an SSO login attempt, V‑Spark will populate any field not provided by the IDP with the value of the Email field.

  • The company specified in the Company dropdown during user account creation must have SSO enabled for that account to use SSO. User accounts associated with a company that does not have SSO enabled cannot use SSO regardless of overall system configuration.

  • User accounts created with an SSO-enabled company may still use the standard username-password authentication method, but it is recommended that administrators use SSO whenever possible to improve security and reduce account maintenance.

When a user account is created with an SSO-enabled company specified, the company and authentication method for that user account may not be changed. A user may be associated with additional companies, but only the initial company's configuration affects whether SSO may be used.

Important: Username-password authenticated accounts cannot be converted to SSO accounts. To use SSO, the user account must be deleted and recreated.

The functionality of SSO-enabled user accounts varies from standard accounts. The name and email user profile fields are disabled because these fields are populated with information from the SSO identity provider (IDP). SSO users may not change their passwords on the profile page or reset their passwords with the Forgot Password? link on the sign-in page.

Use the Login with SSO button on the homepage to log in using SSO. This button will not appear unless the system has been configured to use SSO; note also that the label for the button may be customized. Users are prompted for the short name of their company, then redirected to the IDP. If not already logged in, users enter their IDP credentials. After being authenticated by the IDP, users are redirected back to V‑Spark.