Configure Spotnana Single Sign-on (SSO) for your identity provider

Modified on Thu, 19 Sep at 10:53 AM

Configure Spotnana Single Sign-on (SSO) for your identity provider

TABLE OF CONTENTS

Configure Spotnana Single Sign-on (SSO) for your identity provider

Introduction

These instructions explain how to configure Spotnana to connect to your Identity Provider (IdP) to support Single Sign-on (SSO). Once configured, your users will no longer need to enter a Spotnana-specific user ID and password and will instead use SSO to access Spotnana. To configure Spotnana to support SSO, there are some steps that must be completed (one time only). The steps are organized into 3 sections:

Prerequisite tasks - Specific instructions on the information you need to gather from your IdP in advance. There are separate sections for SAML, OpenID Connect, and Standard (Google only).
Configuration steps in the Spotana Online Booking Tool (OBT) - Specific instructions on how to configure the Spotnana connection to your IdP. There are separate sections for SAML, OpenID Connect, and Standard (Google only)
Testing - Specific instructions on how to test your connection between Spotnana and your IdP and ensure the configuration is working properly.

Prerequisites

SAML

Your metadata will be provided either as a text input from an XML document or as a URL that designates the location where your metadata file is hosted.

If using a metadata XML - You will provide us with the actual XML file and the SAML email attribute. This attribute should correspond to the user’s email address.
If using a metadata document URL, you will provide us with the URL where your metadata document is hosted and the SAML email attribute. This attribute should correspond to the user’s email address.

OpenID Connect

You must provide Spotnana with the following information.

Client ID - Your identity provider’s public identifier for your account.
Client Secret - A private key only known to your identity provider that is unique to your account and used to authenticate users.
Attribute request method (either GET or POST) - The HTTP method used to fetch the user details.
Issuer URL - The URL used to receive authentication requests.
OpenID connect email attribute - The attribute used to identify individual users. This attribute should correspond to the user’s email address.

Google Standard

There are no prerequisites for this configuration option.

Configuration steps in the Spotnana Online Booking Tool

SAML

To begin configuring your SSO connection, log into the OBT, select Company from the Program menu, expand the Configuration menu (on the left) and select Integration. Then select the SSO tab and click Connect next to the SAML option.

The Configuring SAML in your IdP screen will appear. This screen supplies you with two values, ACS/Reply URL and Entity ID, that can be used to configure your IdP to accept requests from and send responses to us. Use the copy button to copy each of these values into your clipboard and paste them into the corresponding field in your IdP. Once you have done that and saved the values in your IdP, click Next here.
Specify the source of your SAML metadata document. Select either Metadata XML or Metadata document endpoint URL.
1. If you selected Metadata XML:
  - You will be prompted to provide the XML data from your IdP. Copy and paste the XML data into the dialog box.
    - Note: Be sure to include the following in your XML:
```
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="yourIdPSAMLredirectURL"/>
```
      If you are unable to edit your XML directly, be sure to set your IdP to Require IDP Redirect URL.
  - Enter your SAML email attribute when prompted and click Connect.
2. If you selected Metadata document endpoint URL:
  - Enter the URL where your metadata document is hosted in the Endpoint URL field.
  - Enter your SAML email attribute in the relevant field.
Click Connect when done.

OpenID Connect

Specify the values for the following fields
- Attribute request method (GET or POST).
- Client ID
- Client Secret
- Issuer URL
- Open ID connect email attribute
Click Connect when done.

Google’s Standard

Testing

Once you have configured Spotnana to connect to your IdP, you and your users should test that the SSO functionality is working properly. You will be prompted to do the following:

Log out of Spotnana.
Access the login page.
Select the SSO login option. You will be redirected to your IdP’s login page.
Enter your user ID and password for your IdP. You will be redirected back to Spotnana and logged in automatically.

Note: If this SSO redirect does not function properly for any of your users, they will still be able to log in using their Spotnana user ID and password credentials.

If you change any of your SSO connection settings in Spotnana, this test workflow will be re-initiated.

Troubleshooting

If all users at your company encounters issues during the testing phase, try the following:

Ensure all connection details are accurate and have been entered correctly in Spotnana.
Ensure your identity provider (IdP) system is configured correctly and is accessible.

If only a few individual users at your company have issues, it’s likely that those users don’t yet exist in either Spotana or your IdP or both.

Caveats

SAML

Identifiers: We do not support identifiers which are used to redirect users to the IdP in multi-latent apps.
Automatic sign out: We automatically log the user out of Spotnana when they are logged out of their IdP.
IdP-initiated SAML sign in: We require SP-initiated SAML assertions (industry best practice).
SAML signing and encryption: We do not support the signing of SAML requests or the requiring of encrypted SAML assertions.

OpenID Connect

Identifiers: We do not support identifiers which are used to redirect users to the IdP in multi-latent apps.
Retrieve OpenID Connect endpoints: We only support Autofill through issuer URL and do not allow Manual Input for endpoints. We autofill the following: authorization endpoint, token endpoint, userinfo endpoint, and jwks_uri.