To setup IdP based SSO, log in to the Spectro Cloud console as the tenant admin. Access the tenant admin settings area by clicking the "Admin" button on the left panel. Choose the IdP from the "Service" dropdown menu. Select the "Settings" from the "Admin menu" and then click "SAML" on the Spectro Cloud console to view the SAML panel. Toggle the
Enable SSO button to bring up the configuration boxes. The following parameters will be available for enabling the addition of Spectro Cloud as a "Service Provider" into the IdPs:
- NameId Format
- Login URL
- Service Provider Metadata
Using these parameters, Spectro Cloud should be added as the Service Provider (SP) app in the IdP's configuration. More details specific to IdPs follow.
The next step is to copy the
Identity Provider Metadata from the IdP into the Spectro Cloud SAML panel. Click on "Confirm" to complete the setup.
In the Spectro Cloud SAML Panel, after selecting Okta as the IdP service from the dropdown, copy the
Login URL using the copy icon next to the URL box. This URL along with other information such as
Service Provider Metadata will be needed to add Spectro Cloud as a new "application" in your Okta dashboard.
In a new tab, open www.okta.com and login to access its dashboard.
Applications main tab, select the
Applications option again.
Add Application and then click the
Create New App option.
In the window that opens next, under "General Settings", choose "Web" as the "Platform" and select
SAML 2.0 as the sign-on method. Click
Create to add the new app.
Your new app is added to Okta and needs to be configured. Give a name to the app that has been created.
We strongly recommend using the
ENTITYID as it is from the Spectro Cloud SAML Panel as the app name.
Next to go to the "Configure SAML" tab.
In the "GENERAL" section, the "Single Sign On URL" should be the same as the
LOGIN URL in the Spectro Cloud SAML Panel. Check the box for "Use this for Recipient URL and Destination URL."
ENTITYID from the Spectro Cloud SAML Panel into the "Audience URI (SP Entity ID)".
In the "NameID format", select
EmailAddress from the dropdown. In the "ATTRIBUTE STATEMENTS (OPTIONAL)" section, add the following fields:
|Name||Name Format (Optional)||Value|
|SpectroTeam||unspecified||Enter default team. See explanation below|
Finish the "teams" configuration and click
Next to access the last tab on the Okta dashboard, which is the
Feedback tab. Here, select the "I'm a software vendor" option and click
Finish to complete the Okta configuration.
This will return to the Okta
Applications page. The Spectro Cloud should now be visible. Under the
Sign On tab, click on the
View Setup Instructions button. This opens a new tab showing the IdP SAML details. Copy the
IDP Metadata and paste it into the corresponding box in the Spectro Cloud SAML Console. Click
Confirm to finish the process. A success banner should be visible on the top left which ensures the completion of the configuration.
With this, the tenant admin is ready to start adding users from the Okta dashboard. In the Okta
Applications page under the Spectro Cloud application, use the
Assignments tab to add users. Click on the
Assign button and select the
Assign to people option. (If you have set up groups, you can use this option as well.) In the popup window, select the users who are to be given access to Spectro Cloud.
Now a user can log in with the
LOGIN URL. This will automatically redirect to the Okta sign-in page. If the user is already signed in to Okta, the page will again redirect to Spectro Cloud automatically.
This completes the sign-in process for the user.
Any non-admin user that is added to a tenant must be added to at least one team when being created by the admin. This team can be changed later on if needed. See the "teams" section for more details on teams and creating them. In case a user is not added to any team, the user can still login successfully but will not be able to see the console. The
SpectroTeam attribute carries forward the available team/s for the user being authorized. This gives the admin the flexibility to add users into teams from both Spectro Cloud as well as Okta. The values of the
SpectroTeam parameter is case sensitive, so the tenant admin should ensure that the team names are identical on both the consoles. A team created on the IdP which is not mentioned in Spectro Cloud will be ignored.
A sample use case is where a new member is to be added to the Spectro Cloud tenant by the tenant admin. The admin can have a default team that is common to all users. This can be applied to the Spectro Cloud SAML Panel as a one-time setting. When a new user is added, the IdP dashboard can be used to add this user to additional teams as required. Without this arrangement, the tenant admin would need to add the user and then perform the team assignment separately each time.