SAML 2.0 Based SSO

To setup IdP based SSO, log in to the Spectro Cloud console as the tenant admin. Access the tenant admin settings area by clicking the "Admin" button on the left panel. Choose the IdP from the "Service" dropdown menu. Select the "Settings" from the "Admin menu" and then click "SAML" on the Spectro Cloud console to view the SAML panel. Toggle the Enable SSO button to bring up the configuration boxes. The following parameters will be available for enabling the addition of Spectro Cloud as a "Service Provider" into the IdPs:

  1. EntityId
  2. NameId Format
  3. Login URL
  4. FirstName
  5. LastName
  6. Email
  7. SpectroTeam
  8. Service Provider Metadata

Using these parameters, Spectro Cloud should be added as the Service Provider (SP) app in the IdP's configuration. More details specific to IdPs follow.

The next step is to copy the Identity Provider Metadata from the IdP into the Spectro Cloud SAML panel. Click on "Confirm" to complete the setup.

Detailed instructions

Okta

In the Spectro Cloud SAML Panel, after selecting Okta as the IdP service from the dropdown, copy the Login URL using the copy icon next to the URL box. This URL along with other information such as Service Provider Metadata will be needed to add Spectro Cloud as a new "application" in your Okta dashboard.

In a new tab, open www.okta.com and login to access its dashboard.

Under the Applications main tab, select the Applications option again.

Click Add Application and then click the Create New App option.

In the window that opens next, under "General Settings", choose "Web" as the "Platform" and select SAML 2.0 as the sign-on method. Click Create to add the new app.

Your new app is added to Okta and needs to be configured. Give a name to the app that has been created.

We strongly recommend using the ENTITYID as it is from the Spectro Cloud SAML Panel as the app name.

Click Next to go to the "Configure SAML" tab.

In the "GENERAL" section, the "Single Sign On URL" should be the same as the LOGIN URL in the Spectro Cloud SAML Panel. Check the box for "Use this for Recipient URL and Destination URL."

Copy-paste the ENTITYID from the Spectro Cloud SAML Panel into the "Audience URI (SP Entity ID)".

In the "NameID format", select EmailAddress from the dropdown. In the "ATTRIBUTE STATEMENTS (OPTIONAL)" section, add the following fields:

NameName Format (Optional)Value
FirstNameunspecifieduser.firstName
LastNameunspecifieduser.lastName
Emailunspecifieduser.email
SpectroTeamunspecifiedEnter default team. See explanation below

Finish the "teams" configuration and click Next to access the last tab on the Okta dashboard, which is the Feedback tab. Here, select the "I'm a software vendor" option and click Finish to complete the Okta configuration.

This will return to the Okta Applications page. The Spectro Cloud should now be visible. Under the Sign On tab, click on the View Setup Instructions button. This opens a new tab showing the IdP SAML details. Copy the IDP Metadata and paste it into the corresponding box in the Spectro Cloud SAML Console. Click Confirm to finish the process. A success banner should be visible on the top left which ensures the completion of the configuration.

With this, the tenant admin is ready to start adding users from the Okta dashboard. In the Okta Applications page under the Spectro Cloud application, use the Assignments tab to add users. Click on the Assign button and select the Assign to people option. (If you have set up groups, you can use this option as well.) In the popup window, select the users who are to be given access to Spectro Cloud.

Now a user can log in with the LOGIN URL. This will automatically redirect to the Okta sign-in page. If the user is already signed in to Okta, the page will again redirect to Spectro Cloud automatically.

This completes the sign-in process for the user.

References

https://developer.okta.com/docs/guides/build-sso-integration/saml2/before-you-begin/

About the SpectroTeam Parameter

Any non-admin user that is added to a tenant must be added to at least one team when being created by the admin. This team can be changed later on if needed. See the "teams" section for more details on teams and creating them. In case a user is not added to any team, the user can still login successfully but will not be able to see the console. The SpectroTeam attribute carries forward the available team/s for the user being authorized. This gives the admin the flexibility to add users into teams from both Spectro Cloud as well as Okta. The values of the SpectroTeam parameter is case sensitive, so the tenant admin should ensure that the team names are identical on both the consoles. A team created on the IdP which is not mentioned in Spectro Cloud will be ignored.

A sample use case is where a new member is to be added to the Spectro Cloud tenant by the tenant admin. The admin can have a default team that is common to all users. This can be applied to the Spectro Cloud SAML Panel as a one-time setting. When a new user is added, the IdP dashboard can be used to add this user to additional teams as required. Without this arrangement, the tenant admin would need to add the user and then perform the team assignment separately each time.