Single sign-on (SSO) is an authentication method that enables users to securely log in to multiple applications and websites using just one set of credentials.
1. Setting up SSO
- For SSO to work, the connection has to be set up between Scoro and Identity Provider (IdP) using a custom SAML connector.
- User matching and the login between Scoro and IdP are done via email (NameID value has to be set to email).
1.1 General overview of setup
The setup is generally divided into 4 steps:
- Obtaining SSO credentials from Scoro for the IdP setup.
- Creating and configuring a custom SAML connector on the IdP side and adding the IdP credentials to Scoro.
- Creating and configuring a custom SAML connector in IdP using Scoro credentials (IdP specific).
- Obtaining SSO credentials from IdP and adding them to Scoro for setup.
- Configuring and verifying SSO in Scoro.
- Enabling SSO in Scoro.
All the steps (except for step 2) are general and will apply to all IdP providers and setups. All steps are explained more thoroughly in the next paragraph and the second step can vary in different IdP providers. The necessary actions for most common IdP providers are listed below.
To set up SSO, follow the four steps below.
1. Obtaining SSO credentials from Scoro for the IdP setup
Open the single sign-on settings in Scoro: Settings > Administration > Single sign-on (SSO).
2. Creating a custom SAML connector on the IdP side and configuring SSO credentials on both sides
Log in to your Identity Provider (IdP) account as an administrator in another tab or browser.
The creation and configuration steps are different for the IdP side and are explained separately for the most common IdPs below.
- Go to Administration > Applications > Add App and search for “SAML Custom Connector (Advanced)“.
- Once saved as a company app, you can start configuring the SAML connection.
- Go to the SSO tab, where you can see the OneLogin's specific SSO fields.
- Copy the Issuer URL into Scoro's Identity Provider Issuer field.
- Copy SAML 2.0 Endpoint into Scoro's Identity Provider SSO URL field.
- Copy the X.509 certificate into Scoro's Certificate field.
- Once you've done this, Scoro's specific configuration will be available. Navigate to the Configuration tab in OneLogin and fill out the next fields.
- Copy Scoro's Audience URI (Entity ID) value into the Audience (EntityID) field.
- Leave the Recipient field empty.
- Copy Scoro's Assertion Consumer Service (ACS) URL into OneLogin's Recipient and ACS (Consumer) URL fields.
- If you need Single Logout, copy Scoro's Service Provider SLO URL into the Single Logout URL field in OneLogin.
Save your OneLogin's configuration.
- Navigate to Applications and choose “Create App Integration“.
- Choose “SAML 2.0” and click Next.
- Add a name and a logo to the app, if needed.
- Configure Okta’s SAML settings:
- Add Assertion Consumer Service (ACS) URL from the Scoro SSO settings page to the Single Sign-On URL in Okta.
- Add Audience URI (Entity ID) from the Scoro SSO settings page to Audience URI in Okta.
- Leave RelayState empty.
- Make sure to set the NameID format to EmailAddress and click Next, followed by Finish.
- Now you have access to Okta's SAML values. Click View Setup Instruction in the Sign-On tab, which will open a separate page with SAML values.
- Configure Scoro’s SSO settings:
- Copy Okta's Identity Provider Single Sign-On URL into Scoro's Identity Provider SSO URL field.
- Copy Okta's Identity Provider Issuer into Scoro's Identity Provider Issuer field.
- Copy X.509 certificate into Scoro's Public Certificate field.
- If you want to provide additional attribute mapping in Okta or just change the existing configuration.
- Go to the General tab and click Edit on the SAML Settings section.
- With Show Advanced Settings you have the choice of configuring Single Logout.
- Okta supports only signed Single Logout and SP initiated logout (that is, when you log out of your Scoro account, you will also be logged out of Okta). Unfortunately, Scoro doesn’t support it yet.
- Create a new SAML Application in Azure AD
- In the Azure Portal, select Enterprise Applications and click New application.
- Click Create your own application.
- Add a Name for the applications, choose “Integrate any other application you don't find in the gallery (Non-gallery)” and click Create.
- Go to Manage menu and click Single sign-on.
- Click SAML and then click the pencil icon to edit the basic SAML configuration.
- Using the information provided on the Service Provider tab in Scoro, complete the following fields:
- In the Identifier (Entity ID) field paste the Audience URI (Entity ID) from Scoro.
- In the Reply URL (Assertion Consumer Service URL) field paste the Assertion Consumer Service (ACS) URL from Scoro.
- In the Logout Url field paste the Service Provider SLO URL.
- Set up Scoro SAML IdP settings
- In the SAML Signing Certificate section in Azure AD, click Download to download the Certificate (Base64) and save it on your computer.
- In your Scoro account, paste the contents of the file to the Public Certificate field under the SSO tab in Scoro.
- Set up the Scoro SSO Identity Provider tab:
- In Scoro's SSO URL field paste the Login URL.
- In Scoro's Entity ID field paste the Azure AD Identifier.
- (Optional) In Scoro's Identity Provider Single Logout Url paste the Logout URL.
3. Verifying SSO configuration in Scoro
Once the IdP side is configured and IdP credentials are added to Scoro, click the Connect button at the bottom of the SSO settings page to verify the SAML integration.
The verification process itself can go by three different scenarios:
- The browser is already logged into IdP and the system will just refresh the page and the user receives a message.
- The user is directed to IdP to perform a login after which the user will be directed back to Scoro and they receive a message. Note! The verification login will have to be performed in the 5-minute window or the user has to retry the verification.
- User receives an error message.
If there were any errors, the user will receive an error message and cannot enable SSO before all errors are cleared.
If all the fields were added correctly, the system will notify the user that the credentials were verified and SSO can be enabled.
4. Enabling SSO in Scoro
SSO can only be enabled if it is successfully verified.
While enabling the SSO, a message will be shown that security settings have been updated and all the users will be logged out of Scoro in 5 minutes.
All active sessions will be closed and all users will be logged out of Scoro in 5 minutes.
After enabling SSO, an extra setting will appear with the possibility to only allow administrators (by default), or both administrators and regular users to continue using their username and password to log into Scoro (In addition to SSO).
2. Updating the certification
7 days before the actual expiration of the current SSO certification, an email is sent to all administrators. This means that a new certificate will have to be generated on the IdP side and updated in Scoro.
To update the certificate in Scoro, take these steps:
- Disable SSO.
- Disconnect the connection with the SSO service provider.
- Add the new certificate to Scoro.
- Verify the new certificate.
- Enable SSO.