/
Enterprise Kubernetes - SSO Setup

Enterprise Kubernetes - SSO Setup

What is SSO?

Single sign-on (SSO) enables users to securely authenticate with multiple applications and websites by logging in with just one set of credentials. If your company has integrated your SSO with Scope AR, your WorkLink CMS Administrator can add you as a licensed user using your network credentials.

 

Edit SSO settings

As a WorkLink CMS Administrator, sign in to the CMS, click on Company Info, and then select the SSO tab.

 

  1. First click on Add SSO Provider

  2. Enter a description that describes the provider

  3. Choose a Type: OAuth, SAML, or Azure

 

Available Providers

OAuth

mceclip2.png

Base URL: The full URL for the SSO provider.
Client ID: The Client API generated by the SSO provider for authentication.
Client Secret: The Client secret generated by the SSO provider for authentication.
Domains: Your company's domain, e.g. scopear.com

 

SAML

IDP Metadata URL: The full URL for the IDP metadata.
Advanced Settings:

  • Request Payload Options

  • Response Validation Options

Domains: Your company's domain, e.g. scopear.com

 

Azure

 

Base URL: The full URL for the SSO provider.
Client ID: The Client API generated by the SSO provider for authentication.
Client Secret: The Client secret generated by the SSO provider for authentication.
Domains: Your company's domain e.g. scopear.com

 

Set up Azure and SAML SSO

As an administrator, sign in to the CMS and click on SSO in the Company Info section. Then click on Add SSO Provider.

 

SAML Configuration

  1. Enter the the SSO provider in the name field and choose SAML as the type.

  1. Enter the IDP Metadata URL - Provided by Azure.

  • You can get this information from your Azure portal. Search for your SAML application under Enterprise applications and click on Single Sign on on the Manage menu.

  • Scroll down and copy the App Federation Metadata Url from the SAML Certificates (This is your IDP Metadata URL)

  • Paste this link in the IDP Metadata URL field, highlighted in the screenshot above.

  1. Click on Advanced Settings and turn on Skip Subject.

  1. Then, click on 'Add Domain' to add the domain you want to target, and then save.

  1. You will notice the SAML configuration listed on the Single Sign-On (SSO) page. Click on the pencil icon beside it to edit.

  1. Copy the generated Callback URL and paste that in the Azure portal.

  • This should be pasted in the Reply URL (Assertion Consumer Service URL) field>Save.

  • Note: The CMS URL should be listed as an identifier, e.g., https:\\cms.scopear.com.  

 

Azure Configuration

  1. Enter the SSO provider's name in the name field and select Azure as the type.

  1. Enter the following:

  • Base URL: The full URL for the SSO provider.

  • Tenant: To support MFA, there are two azure authentication endpoints - V1 and V2. The V2 support requires populating and entering the tenant ID (This is not required for V1). This information can be retrieved from the Azure portal, under All Services>App registrations.

  • Client ID: The Client API generated by the SSO provider for authentication.

  • Client Secret: The Client secret generated by the SSO provider for authentication.

  • Domains: Your company's domain e.g. scopear.com

Note: If you do not have a tenant ID but wish to use MFA, you must enable multi-tenant account type on the Azure portal. This will allow your configuration to work without the tenant ID.

V2 Support

Additionally, as the Scope Admin, you need to edit the company and turn on Azure V2 (Per company) to allow this settings.