Configuring Single Sign-On (SSO)

The service admin can configure SSO for their ProtoPie Enterprise environment.

With SSO, members can access ProtoPie through an authentication source of choice, e.g., Okta, Auth0, or OneLogin. These are also known as identity providers (IdP). This way, companies can centralize providing access to ProtoPie Enterprise.

SSO is an authentication scheme allowing users to log in to applications and websites with a single set of credentials—without having to manage multiple usernames and passwords. Many organizations and enterprises already included SSO in their internal policies to ensure security and convenience.

ProtoPie Enterprise supports two SSO protocols:

  • SAML 2.0
  • OpenID Connect (OIDC) – on top of OAuth 2.0

Setting Up SAML SSO

In SAML terminology, ProtoPie is the service provider (SP) that has to communicate with your identity provider (IdP) for authentication.

To set this up, add ProtoPie to your IdP. This comes down to: enter the assertion consumer service URL (spAcsUrl) from ProtoPie in your IdP, and the IdP Metadata URL from your IdP in ProtoPie.

  1. Go to Authentication in the Service Admin Settings.
  2. Enable SAML.
  3. Copy the assertion consumer URL.
[object Object]

How you add applications to your IdP differs per IdP. We outlined the steps for using Okta below.

SAML SSO with Okta

  1. Log in to Okta and go to the Applications page.
  2. Click on the Add Application in the top left corner.
    [object Object]
  3. Click on Create New App in the top right corner.
    [object Object]
  4. Select SAML 2.0 as the Sign on method and click on Create.
    [object Object]
  5. Enter ProtoPie as the app name under General Settings. For convenience, upload the ProtoPie logo. Then click on Next.
    [object Object]
  6. Do the following regarding the SAML Settings.
    1. Paste the copied assertion consumer URL in both the Single sign on URL and Audience URI (SP Entity ID) fields.
    2. Select EmailAddress as the Name ID format.
    3. Enter firstName for the Name, and user.firstName for the Value. Then, click on Add Another.
    4. Enter lastName for the Name, and user.lastName for the Value.
    5. Click on Next.
      [object Object]
  7. Select I'm a software vendor. I'd like to integrate my app with Okta and click on Finish.
    [object Object]
  8. Assign users in the ProtoPie app in Okta. Go to the ProtoPie application, and click on the Assignments tab. Assign users by clicking on the Assign button.
    [object Object]
  9. Click on the Sign On tab and then on View Setup Instructions.
    [object Object]
  10. The Identity Provider Single Sign-On URL is basically the IdP Metadata URL you need. Copy this.
    [object Object]
  11. Go back to Authentication in the Service Admin Settings.
  12. If you didn't already, enable SAML.
  13. Paste the IdP Metadata URL you copied in your IdP.
  14. Click on Update.

SAML SSO with Another IdP

To set up SAML SSO with another IdP, as with Okta, use the assertion consumer service URL (spAcsUrl) from ProtoPie and IdP Metadata URL from your IdP. Refer to the documentation of your preferred IdP on how to add new applications.

Setting Up OIDC SSO

OpenID Connect (OIDC) is an authentication protocol built on top of the OAuth 2.0 framework.

To set this up, add ProtoPie to your IdP. This comes down to: enter the callback URL (loginUrl) from ProtoPie in your IdP, and the authorization URL, token URL, client ID, and client secret from your IdP in ProtoPie.

  1. Go to Authentication in the Service Admin Settings.
  2. Enable OIDC.
  3. Copy the callback URL.
    [object Object]

How you add applications to your IdP differs per IdP. We outlined the steps for using Okta below.

OIDC SSO with Okta

  1. Log in to Okta and go to the Applications page.
  2. Click on the Add Application in the top left corner.
    [object Object]
  3. Click on Create New App in the top right corner.
    [object Object]
  4. Select OpenID Connect as the Sign on method and click on Create.
    [object Object]
  5. Enter ProtoPie as the app name under General Settings. For convenience, upload the ProtoPie logo. Also, paste the copied callback URL in the Login redirect URIs field. Then click on Save.
    [object Object]
  6. Assign users in the ProtoPie app in Okta. Go to the ProtoPie application, and click on the Assignments tab. Assign users by clicking on the Assign button.
    [object Object]
  7. Click on the General tab. Copy both: client ID and client secret.
    [object Object]
  8. Click on the Sign On tab. You need both the Authorization URL and Token URL. These two URLs do differ per IdP. For Okta, the Authorization URL has ${baseUrl}/oauth2/v1/authorize structure and the Token URL has ${baseUrl}/oauth2/v1/token structure. Use Issuer under the OpenID Connect ID Token for the base URL. Learn more about how to compose your base URL.
    [object Object]
  9. Go back to Authentication in the Service Admin Settings.
  10. If you didn't already, enable OIDC.
  11. Enter the authorization URL, token URL, client ID, and client secret.
  12. Click on Update.

OIDC SSO with Another IdP

To set up OIDC SSO with another IdP, as with Okta, you need the Callback URL from ProtoPie, and the Authorization URL, Token URL, Client ID, and Client Secret from your IdP. Refer to the documentation of your preferred IdP on how to add new applications.

Managing Members

With SSO enabled, still manage your members in ProtoPie Enterprise itself. Even though you add or remove users in your IdP, ProtoPie Enterprise does not reflect these changes automatically.

If you change a user's email address in the IdP, make the same change in ProtoPie Enterprise.

Back To Top