SSO provides convenient and secure access to our platform via your chosen identity provider.
All accounts can use our regular credentialed access, but by configuration SSO and using your identity provider:
You can have a single-click login from either our login page (Service Provider initiated access, SP) or from your app launcher (Identity Provider-Initiated access, idP)
You can ensure that removing a user's access in your identity system will prevent them from accessing the ScopeStack platform.
You can start using ScopeStack with credentialed access and switch to SSO at any time. ScopeStack can match existing user emails against the addresses provided by your identity provider.
We follow the following process to complete SAML-based SSO configuration:
The client provides some key information to our Support team. (outlined below)
Our dev team configures the information in our platform. After this is complete, we provide you back the metadata you need to complete the configuration on your end. If you need a metadata file, you can save the metadata link we provide back to you as an XML file.
We configure SSO for a single test user. First, that user tests logging in at scopestack.io and is authenticated through the company SSO provider. Then, that user tests logging in from the company application dashboard (IdP initiated)
We enable SSO for your account. A user with no record in ScopeStack logs in from the company application dashboard (IdP initiated).
Once we've completed these steps, you are good to go!
If you've purchased an SSO Integration, to start the configuration process, we need some information from your identity provider. You can provide the following information to our support team by emailing email@example.com
idp certificate (raw and/or plain text): This is typically in the form of a block of text
idp fingerprint (SHA1): This value is called Thumbprint in Azure AD, and is a string of letters and numbers that is typically generated to accompany the certificate
idp SSO target URL (SSO -> sign on): This is a URL
idp SLO target URL (SLO -> log out): This is a URL
A complete metadata file is also helpful: This is typically in the form of an XML file
For help finding these items, review these Help Documents from various common identity providers:
Quickstart: Enable single sign-on for an enterprise application in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso
Advanced certificate signing options in a SAML token in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/certificate-signing-options
Manage certificates for federated single sign-on in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on
Enable Salesforce as a SAML Identity Provider: https://help.salesforce.com/s/articleView?id=sf.identity_provider_enable.htm
Add SAML pass-through application to OKTA: https://help.okta.com/oag/en-us/Content/Topics/Access-Gateway/add-app-saml-pass-thru.htm
If you're not purchased SSO yet but would like to talk more about it, you can contact our Sales team at firstname.lastname@example.org.