Single sign-on (SSO)

Single sign-on (SSO) is an authentication method that enables users to securely log in to multiple applications and websites using just one set of credentials.

This article will guide you through setting up SSO, enabling regular login for specific users, and everything else you need to know about this sign-in method.

1. Setting up SSO

The SSO setup process has 4 steps:

1. Obtaining SSO credentials from Scoro for the IdP setup
2. Creating and configuring a custom SAML connector on the IdP side and adding the IdP credentials to Scoro:
   • Creating and configuring a custom SAML connector in IdP using Scoro credentials (IdP specific)
   • Obtaining SSO credentials from IdP and adding them to Scoro for setup
3. Configuring and verifying SSO in Scoro
4. Enabling SSO in Scoro

Step 1: Obtain SSO credentials from Scoro for the IdP setup

Open the single sign-on settings in Scoro under Settings > Administration > Single sign-on (SSO).

Step 2: Create a custom SAML connector on the IdP side and configure SSO credentials on both sides

Log in to your Identity Provider (IdP) account as an administrator in another tab or browser.

The creation and configuration steps may be different for various IdP providers - below are the instructions for the most common ones:

• OneLogin
• Okta
• Microsoft Entra ID

OneLogin

1. Go to Administration > Applications > Add App and search for “SAML Custom Connector (Advanced)“.
2. Once saved as a company app, you can start configuring the SAML connection.
3. Go to the SSO tab, where you can see the OneLogin's specific SSO fields.
   1. Copy the Issuer URL into Scoro's Identity Provider Issuer field.
   2. Copy SAML 2.0 Endpoint into Scoro's Identity Provider SSO URL field.
   3. Copy the X.509 certificate into Scoro's Certificate field.
4. Once you've done this, Scoro's specific configuration will be available. Navigate to the Configuration tab in OneLogin and fill out the next fields.
   1. Copy Scoro's Audience URI (Entity ID) value into the Audience (EntityID) field.
   2. Leave the Recipient field empty.
   3. Copy Scoro's Assertion Consumer Service (ACS) URL into OneLogin's ACS (Consumer) URL fields.
   4. If you need Single Logout, copy Scoro's Service Provider SLO URL into the Single Logout URL field in OneLogin.
5. Save your configuration in OneLogin.

Okta

1. Navigate to Applications and choose “Create App Integration“.
2. Choose “SAML 2.0” and click Next.
3. Add a name and a logo to the app, if needed.
4. Configure Okta’s SAML settings:
   1. Add Assertion Consumer Service (ACS) URL from the Scoro SSO settings page to the Single Sign-On URL in Okta.
   2. Add Audience URI (Entity ID) from the Scoro SSO settings page to Audience URI in Okta.
   3. Leave RelayState empty.
   4. Make sure to set the NameID format to EmailAddress and click Next, followed by Finish.
5. Now you have access to Okta's SAML values. Click View Setup Instruction in the Sign-On tab, which will open a separate page with SAML values.
6. Configure Scoro’s SSO settings:
   1. Copy Okta's Identity Provider Single Sign-On URL into Scoro's Identity Provider SSO URL field.
   2. Copy Okta's Identity Provider Issuer into Scoro's Identity Provider Issuer field.
   3. Copy X.509 certificate into Scoro's Public Certificate field.
7. If you want to provide additional attribute mapping in Okta or just change the existing configuration.
   1. Go to the General tab and click Edit on the SAML Settings section.
   2. With Show Advanced Settings you have the choice of configuring Single Logout.
      1. Okta supports only signed Single Logout and SP initiated logout (that is, when you log out of your Scoro account, you will also be logged out of Okta). Unfortunately, Scoro doesn’t support it yet.

Microsoft Entra ID

1. Create a new SAML Application in Microsoft Entra ID
   1. In the Microsoft Entra ID Portal, select Enterprise Applications and click New application.
   2. Click Create your own application.
   3. Add a Name for the applications, choose “Integrate any other application you don't find in the gallery (Non-gallery)” and click Create.
   4. Go to Manage menu and click Single sign-on.
   5. Click SAML and then click the pencil icon to edit the basic SAML configuration.
   6. Using the information provided on the Service Provider tab in Scoro, complete the following fields:
      - In the Identifier (Entity ID) field paste the Audience URI (Entity ID) from Scoro.
      - In the Reply URL (Assertion Consumer Service URL) field paste the Assertion Consumer Service (ACS) URL from Scoro.
      - In the Logout Url field paste the Service Provider SLO URL.
2. Set up Scoro SAML IdP settings
   1. In the SAML Signing Certificate section in Microsoft Entra ID, click Download to download the Certificate (Base64) and save it on your computer.
   2. In your Scoro account, paste the contents of the file to the Public Certificate field under the SSO tab in Scoro.
   3. Set up the Scoro SSO Identity Provider tab:
      1. In Scoro's SSO URL field paste the Login URL.
      2. In Scoro's Entity ID field paste the Microsoft Entra ID Identifier.
      3. (Optional) In Scoro's Identity Provider Single Logout Url paste the Logout URL.
         

Step 3: Verify SSO configuration in Scoro

Once the IdP side is configured and IdP credentials are added to Scoro, click the Connect button at the bottom of the SSO settings page to verify the SAML integration.

The verification process itself can go by three different scenarios:

1. The browser is already logged into IdP, and the system will just refresh the page and the user receives a message. 
2. The user is directed to IdP to log in, after which the user will be directed back to Scoro and receive a message. Note! The verification login must be performed within the 5-minute window, or the user will have to retry the verification.
3. The user receives an error message.

If there are any errors, the user will receive an error message and cannot enable SSO before all errors are cleared.

If all the fields were added correctly, the system will notify the user that the credentials were verified and SSO can be enabled.

Step 4: Enable SSO in Scoro

Once the SSO is successfully verified, go to Settings > Administration > Single sign-on (SSO) and enable SSO by switching on the toggle.

While enabling the SSO, a message will appear stating that security settings have been updated. All active sessions will be closed, and all users will be logged out of Scoro in 5 minutes.

Once enabled, all users, including site administrators, can log in to your site using only SSO.

2. Disabling user-based API

If you want to prevent the mobile app login, user-based API, and Zapier automations, switch on the Disable user-based API toggle in your single sign-on (SSO) settings page. Please note that when disabled, any settings you've set up via Zapier will stop working.

3. Enabling regular login for specific users

After enabling SSO, you can also enable the regular username and password login method for specific users who aren't able to use SSO to access your site:

1. Go to Settings > Administration > Single sign-on (SSO)
2. Enable the Allow regular login toggle
3. Under the Users with password access enabled section, add users that need to use the regular login.

To remove the regular login access from a user, simply click on their name.

You can also grant password access to a specific user individually by modifying their account under Settings > Administration > Users and groups and ticking the Allow regular login in addition to SSO checkbox.

4. Updating the certification before its expiration

7 days before the actual expiration of the current SSO certification, an email is sent to all administrators. This means that a new certificate will have to be generated on the IdP side and updated in Scoro.

To update the certificate in Scoro, take these steps:

1. Disable SSO.
2. Disconnect the connection with the SSO service provider.
3. Add the new certificate to Scoro.
4. Verify the new certificate.
5. Enable SSO.