Popular topics: Downloads HDL300 system installation guide Download Room Manager Can I connect my computer wirelessly to the projector? Room Manager features overview ► WM408i installation guide and drawings ► More download options HDL300 system integration guide Installation guides and drawings Microphone clearance requirements and recommendations Enabling QuickShare on your canvas ► Using the auxiliary ports Does the HDL300 system work with audio conferencing (UC&C) software? System connection diagram Span Workspace technical requirements Setting up SSO (single sign-on) WM210i and WM307i technical requirements Is the HDL300 system compatible with the Cisco® SX80? Screen share troubleshooting Adding a bookmark to your mobile home screen ►

Setting up SSO (single sign-on)

Set up your SSO provider, verify your domain, and add users for single sign-on.

Span™ Workspace uses Windows® Azure® Active Directory®, Okta™, PingFederate® or OneLogin™ to enable single sign-on (SSO). Once Span Workspace has been added to the SSO provider, a subscription administrator can enable SSO for subscription users. SSO is compatible with both Span Workspace wall client and Span Workspace web client. However, it's necessary to sign in to SSO using the web client before it'll be available in the Span Workspace wall client.

The steps below will guide an administrator through setting up Span Workspace with their SSO account and then configuring their SSO settings within the Span Workspace web client.

To see an example of a Span Workspace SSO user experience, see our Using SSO with Span Workspace article.

Setting up your service provider

Click on the header of your SSO service provider below to view instructions on setting up your service provider to be compatible with Span Workspace.

Setting up Azure AD

  1. Log into the Azure portal at https://portal.azure.com as an Azure AD administrator
  2. Navigate to Azure Active Directory and go to Enterprise applications

  1. Click the link to add your own app from the Application you're developing button

  1. Click Ok, take me to App Registrations to register my new application
  2. Click New application registration

  1. Fill in the following:
Name:   Nureva Span
Application type:   Web app/API
Sign-on URL:   https://span.nureva.com
  1. Click Create
  2. The application should be added in the right side of the screen. Record the Application ID to use in the Set up SSO section.

  1. Open your Azure settings and go to Keys

  1. Add a new key by filling in a description and an expiry date. Leave the value field empty.

  1. Click Save
  2. The new key value should appear. Record this key value to use in the Set up SSO section.
  3. Return to your Azure settings and go to Reply URLs
  4. Delete the default URL (for example, https://span.nureva.com)
  5. Add the following reply URLs:

https://span.nureva.com/openIdConnect-SingleSignOn-redirect

https://span.nureva.com/openIdConnect-UserAccountLinking-redirect

https://span.nureva.com/openIdConnect-AdminConsent-redirect

  1. Navigate back to Azure Active Directory
  2. Click Save
  3. Go to Properties
  1. Record the directory ID to use in the Set up SSO section.


Administrator application permissions

By default, whether or not a user grants the Azure AD application access to Azure AD information is up to the user. However, if the Azure AD client is configured to require an administrator's permission, the administrator must give permission to the Span Azure AD application to access the Azure AD information. To do this,

  1. Navigate to the Enterprise Applications page on the Azure Active Directory
  2. Select the Span application
  3. Go to Permissions

  1. Click the Grant admin consent for [company name] button
  2. Enter the admin user credentials
  3. Click Accept

Setting up Okta

  1. Sign on to your Okta administration dashboard. This is likely to be at a URL of the form https://<your_company>.okta.com/dev/console
  2. Hover over the API tab and click on Authorization Servers
  3. Record the issuer URI for the authorization server named "default." You will need this URI in the Setting up SSO section.

  1. Edit the ‘default’ authorization server
  2. Select the “Claims” tab
  3. Click “Add Claim”
  4. Set the name to ‘span_login_key’, include it in ID Token and set the Value to an attribute that uniquely identifies the user in your directory and is accessible or known by the Span subscription admin. For example, user.username

  1. Click Save
  2. Record the Issuer URI of the ‘default’ Authorization Server. This will be needed as the Base URL when configuring Okta in Span

Adding Span as a valid App in your Okta

  1. Navigate to the Applications tab and then click Add Application
  2. Choose the Web option and click Next
  3. Set the Name to “Span” and the Base URI to https://span.nureva.com
  4. Add the following Login redirect URIs:

https://span.nureva.com/openIdConnect-UserAccountLinking-redirect

https://span.nureva.com/openIdConnect-SingleSignOn-redirect

  1. Make sure the "Grant type allowed" is set to “Authorization Code”

  1. Click Done
  2. Find the Client ID and Client secret and record them, as you will need them when configuring Span

Setting up PingFederate

  1. Sign on to your PingFederate administration dashboard

This is likely to be at a URL of the form https://<hostname_of_pingfederate_server>:9999/pingfederate/app

  1. Click on the OAuth Server tab on the left-hand menu

If the OAuth Server tab is not visible, it's likely that your PingFederate server is not configured for OpenID Connect. Refer to the PingFederate administrative guide to complete this step.

The next steps guide you through how to add an OpenID Connect Policy for Span, which maps an appropriate directory attribute onto the sub claim.

  1. Click OpenID Connect Policy Management 
  2. Go to Add Policy
  3. Enter a policy ID, Name and select an Access Token Manager

  1. Click Next
  2. Under Attribute Contract, delete all the extended attributes. They aren't required by Span Workspace.

  1. Click Next until you reach the Contract Fulfillment screen
  2. Fulfill the sub contract with a Source and Value that uniquely identifies the user in your directory and is accessible or known by the Span subscription admin – they will need it later to link Span users to their SSO account

For example, a user principal name, unique username or (if you can guarantee it is unique per user in your directory) an e-mail.

  1. Click Done

Add a Client

  1. Under the Clients heading, click Create New
  2. Choose a value for the Client ID. Record this client ID for use when configuring Span.

  1. Set a Name and Description that will remind you or other administrators that this is the Span client
  2. Set Client Authentication to Client Secret
  3. Click Generate Secret
  4.  Record the generated secret for later

This secret will be used as the client secret when configuring Span.

  1. Add the following Span re-direct URLs:

https://span.nureva.com/openIdConnect-UserAccountLinking-redirect

https://span.nureva.com/openIdConnect-SingleSignOn-redirect

  1. Set the Allowed Grant Types to Authorization Code

  1. Select the Policy you created earlier
  2. Click Save
The last piece of information you will need before configuring Span is your PingFederate server’s hostname, which by default is on port 9031. Therefore, the URL will appear as https://<hostname of Ping server>:9031/

Setting up OneLogin

  1. Sign on to your OneLogin administration dashboard.

This dashboard can likely be found at https://<your_company>.onelogin.com/admin

  1. Hover your cursor over the Apps tab and click Add Apps
  2. Search for and select "OpenID Connect (OIDC)"

  1. In the Display name field, type in "Span"
  2. Click Save
  3. Go to the Configuration tab
  4. Configure the following:
Login Url:  https://span.nureva.com
Redirect URI:  https://span.nureva.com/openIdConnect-UserAccountLinking-redirect
https://span.nureva.com/openIdConnect-SingleSignOn-redirect
  1. Go to the Parameters tab
  2. Set Credentials to "Configured by Admin"
  3. Click Add parameter
  4. Set the field name to "span_login_key"
  5. Click Save
  6. Set the value of the new parameter to an attribute that uniquely identifies the user in your directory and is accessible or known by the Span subscription admin. For example, userPrincipleName.

  1. Click Save
  2. Go to the SSO tab
  3. Take note of the Client ID and the Client secret. You'll need these later when configuring SSO in Span Workspace.
  4. Record the OpenID Provider Configuration Information, excluding the ".well-known/openid-configuration" part of the ID. You will need this URL later when configuring Span Workspace.

The URL should resemble the following:

https://<your_company>.onelogin.com/oidc/
  1. Make sure the Application Type is set to "Web"
  2. Set the Token Endpoint Authentication Method to POST
  3. Click Save

Setting up SSO

  1. As a subscription administrator, log into Span Workspace using your Chrome™ internet browser
  2. Click your name on the top-right corner of the page

  1. Select Subscriptions
  2. Click the SSO link in the Manage column

  1. Click Add identity provider
  2. Input your company’s SSO provider's Span Workspace information

Name*:
Choose a name for your identity provider.
Description:
Create a description for the identity provider.
Base URL*:
https://login.microsoftonline.com/<directoryID>/ where <directoryID> is the directory ID that you recorded in the Setting up Azure, Okta or Pingfederate steps. For example: https://login.microsoftonline.com/12345678-FC31-4D64-BBB5-A48D12345678/
Client ID*:
Enter the Application ID that was recorded in the Setting up Azure, Okta or Pingfederate steps.
Client secret*:
Enter the value of the key that was created in the Setting up Azure, Okta or Pingfederate steps.
  1. Click Add. You'll be redirected to your SSO provider's page. Log in with your administrator credentials. You will then be redirected back to your SSO page where the identity provider will now be added.

You can edit or remove the identity provider from the three-dot menu.

Press the back button on the top left of the page to return to the Subscriptions page


Verify your domain

A verified domain allows a subscription administrator to configure SSO only for users belonging to the same domain. If the domain has not been verified, the subscription administrator will not have the ability to configure the users belonging to that domain for SSO.

For example, if nureva.com is a verified domain, then the subscription administrator can link SSO to the users under the @nureva.com domain. If a user exists with an @gmail.com domain, the subscription administrator will not be able to configure SSO for the user.

For more information regarding your domain ownership, see our Domain ownership for SSO article.

  1. Click Domains on the subscription page
  2. Follow the steps shown to verify your domain(s)


  1. Once you've followed the steps, confirm that a verified domain has been added under the “Add verified domain” button

Keep in mind it can take up to 48 hours for a domain to be verified.


Configure users for SSO

  1. Go to the subscriptions page
  2. Click Users
  3. Open the three-dot menu for the user that will be configured through SSO


    1. If you need to add a user to the subscription, follow the steps in the Adding user accounts articles.
  1. Open the three-dot menu of the user you just added and select Manage SSO
  2. Enter the user's UPN number from your SSO provider
  3. Click OK

A checkmark will appear next to the user if they have been successfully connected.

New users will need to activate their Span Workspace account in the welcome email. Once they've set their password, they will be able to log out and then log back using your SSO provider.

When the user signs into Span Workspace in their web browser, they will be given the option to sign in with your SSO provider.


Last updated: September 3, 2019

Was this article helpful?

Can’t find what you’re looking for?

Contact Support

1.844.370.2111