Set up your SSO provider, verify your domain, and add users for single sign-on.
Span™ Workspace uses Windows® Azure® Active Directory®, Okta™, PingFederate® or OneLogin™ to enable single sign-on (SSO). Once Span Workspace has been added to the SSO provider, a subscription administrator can enable SSO for subscription users. SSO is compatible with both Span Workspace wall client and Span Workspace web client. However, it's necessary to sign in to SSO using the web client before it'll be available in the Span Workspace wall client.
The steps below will guide an administrator through setting up Span Workspace with their SSO account and then configuring their SSO settings within the Span Workspace web client.
To see an example of a Span Workspace SSO user experience, see our Using SSO with Span Workspace article.
Setting up your service provider
Click on the header of your SSO service provider below to view instructions on setting up your service provider to be compatible with Span Workspace.
Setting up Azure AD
- Log into the Azure portal at https://portal.azure.com as an Azure AD administrator
- Navigate to Azure Active Directory and go to Enterprise applications
- Click the link to add your own app from the Application you're developing button
- Click Ok, take me to App Registrations to register my new application
- Click + New application registration
- Fill in the following:
- Click Create
- The application should be added in the right side of the screen. Record the Application ID to use in the Set up SSO section.
- Open your Azure settings and go to Keys
- Add a new key by filling in a description and an expiry date. Leave the value field empty.
- Click Save
- The new key value should appear. Record this key value to use in the Set up SSO section.
- Return to your Azure settings and go to Reply URLs
- Delete the default URL (for example, https://span.nureva.com)
- Add the following reply URLs:
- Navigate back to Azure Active Directory
- Click Save
- Go to Properties
- Record the directory ID to use in the Set up SSO section.
Administrator application permissions
By default, whether or not a user grants the Azure AD application access to Azure AD information is up to the user. However, if the Azure AD client is configured to require an administrator's permission, the administrator must give permission to the Span Azure AD application to access the Azure AD information. To do this,
- Navigate to the Enterprise Applications page on the Azure Active Directory
- Select the Span application
- Go to Permissions
- Click the Grant admin consent for [company name] button
- Enter the admin user credentials
- Click Accept
Setting up Okta
- Sign on to your Okta administration dashboard. This is likely to be at a URL of the form https://<your_company>.okta.com/dev/console
- Hover over the API tab and click on Authorization Servers
- Record the issuer URI for the authorization server named "default." You will need this URI in the Setting up SSO section.
- Edit the ‘default’ authorization server
- Select the “Claims” tab
- Click “Add Claim”
- Set the name to ‘span_login_key’, include it in ID Token and set the Value to an attribute that uniquely identifies the user in your directory and is accessible or known by the Span subscription admin. For example, user.username
- Click Save
- Record the Issuer URI of the ‘default’ Authorization Server. This will be needed as the Base URL when configuring Okta in Span
Adding Span as a valid App in your Okta
- Navigate to the Applications tab and then click Add Application
- Choose the Web option and click Next
- Set the Name to “Span” and the Base URI to https://span.nureva.com
- Add the following Login redirect URIs:
- Make sure the "Grant type allowed" is set to “Authorization Code”
- Click Done
- Find the Client ID and Client secret and record them, as you will need them when configuring Span
Setting up PingFederate
- Sign on to your PingFederate administration dashboard
This is likely to be at a URL of the form https://<hostname_of_pingfederate_server>:9999/pingfederate/app
- Click on the OAuth Server tab on the left-hand menu
If the OAuth Server tab is not visible, it's likely that your PingFederate server is not configured for OpenID Connect. Refer to the PingFederate administrative guide to complete this step.
The next steps guide you through how to add an OpenID Connect Policy for Span, which maps an appropriate directory attribute onto the sub claim.
- Click OpenID Connect Policy Management
- Go to Add Policy
- Enter a policy ID, Name and select an Access Token Manager
- Click Next
- Under Attribute Contract, delete all the extended attributes. They aren't required by Span Workspace.
- Click Next until you reach the Contract Fulfillment screen
- Fulfill the sub contract with a Source and Value that uniquely identifies the user in your directory and is accessible or known by the Span subscription admin – they will need it later to link Span users to their SSO account
For example, a user principal name, unique username or (if you can guarantee it is unique per user in your directory) an e-mail.
- Click Done
Add a Client
- Under the Clients heading, click Create New
- Choose a value for the Client ID. Record this client ID for use when configuring Span.
- Set a Name and Description that will remind you or other administrators that this is the Span client
- Set Client Authentication to Client Secret
- Click Generate Secret
- Record the generated secret for later
This secret will be used as the client secret when configuring Span.
- Add the following Span re-direct URLs:
- Set the Allowed Grant Types to Authorization Code
- Select the Policy you created earlier
- Click Save
The last piece of information you will need before configuring Span is your PingFederate server’s hostname, which by default is on port 9031. Therefore, the URL will appear as https://<hostname of Ping server>:9031/
Setting up OneLogin
- Sign on to your OneLogin administration dashboard.
This dashboard can likely be found at https://<your_company>.onelogin.com/admin
- Hover your cursor over the Apps tab and click Add Apps
- Search for and select "OpenID Connect (OIDC)"
- In the Display name field, type in "Span"
- Click Save
- Go to the Configuration tab
- Configure the following:
- Go to the Parameters tab
- Set Credentials to "Configured by Admin"
- Click Add parameter
- Set the field name to "span_login_key"
- Click Save
- Set the value of the new parameter to an attribute that uniquely identifies the user in your directory and is accessible or known by the Span subscription admin. For example, userPrincipleName.
- Click Save
- Go to the SSO tab
- Take note of the Client ID and the Client secret. You'll need these later when configuring SSO in Span Workspace.
- Record the OpenID Provider Configuration Information, excluding the ".well-known/openid-configuration" part of the ID. You will need this URL later when configuring Span Workspace.
The URL should resemble the following:
- Make sure the Application Type is set to "Web"
- Set the Token Endpoint Authentication Method to POST
- Click Save
Setting up SSO
- As a subscription administrator, log into Span Workspace using your Chrome™ internet browser
- Click your name on the top-right corner of the page
- Select Subscriptions
- Click the SSO link in the Manage column
- Click Add identity provider
- Input your company’s SSO provider's Span Workspace information
||Choose a name for your identity provider.
||Create a description for the identity provider.
||https://login.microsoftonline.com/<directoryID>/ where <directoryID> is the directory ID that you recorded in the Setting up Azure, Okta or Pingfederate steps. For example: https://login.microsoftonline.com/12345678-FC31-4D64-BBB5-A48D12345678/
||Enter the Application ID that was recorded in the Setting up Azure, Okta or Pingfederate steps.
||Enter the value of the key that was created in the Setting up Azure, Okta or Pingfederate steps.
- Click Add. You'll be redirected to your SSO provider's page. Log in with your administrator credentials. You will then be redirected back to your SSO page where the identity provider will now be added.
You can edit or remove the identity provider from the three-dot menu.
Press the back button on the top left of the page to return to the Subscriptions page
Verify your domain
A verified domain allows a subscription administrator to configure SSO only for users belonging to the same domain. If the domain has not been verified, the subscription administrator will not have the ability to configure the users belonging to that domain for SSO.
For example, if nureva.com is a verified domain, then the subscription administrator can link SSO to the users under the @nureva.com domain. If a user exists with an @gmail.com domain, the subscription administrator will not be able to configure SSO for the user.
For more information regarding your domain ownership, see our Domain ownership for SSO article.
- Click Domains on the subscription page
- Follow the steps shown to verify your domain(s)
- Once you've followed the steps, confirm that a verified domain has been added under the “Add verified domain” button
Keep in mind it can take up to 48 hours for a domain to be verified.
Configure users for SSO
- Go to the subscriptions page
- Click Users
- Open the three-dot menu for the user that will be configured through SSO
- If you need to add a user to the subscription, follow the steps in the Adding user accounts articles.
- Open the three-dot menu of the user you just added and select Manage SSO
- Enter the user's UPN number from your SSO provider
- Click OK
A checkmark will appear next to the user if they have been successfully connected.
New users will need to activate their Span Workspace account in the welcome email. Once they've set their password, they will be able to log out and then log back using your SSO provider.
When the user signs into Span Workspace in their web browser, they will be given the option to sign in with your SSO provider.
Last updated: September 3, 2019