Set up your SSO provider, verify your domain, and add users for single sign-on.
Span™ Workspace uses Windows® Azure® Active Directory®, Okta™, PingFederate® or OneLogin™ to enable single sign-on (SSO). Once Span Workspace has been added to the SSO provider, a subscription administrator can enable SSO for subscription users. SSO is compatible with both Span Workspace wall client and Span Workspace web client. However, it's necessary to sign in to SSO using the web client before it'll be available in the Span Workspace wall client.
The steps below will guide an administrator through setting up Span Workspace with their SSO account and then configuring their SSO settings within the Span Workspace web client.
To see an example of a Span Workspace SSO user experience, see our Using SSO with Span Workspace article.
Click on the header of your SSO service provider below to view instructions on setting up your service provider to be compatible with Span Workspace.
By default, whether or not a user grants the Azure AD application access to Azure AD information is up to the user. However, if the Azure AD client is configured to require an administrator's permission, the administrator must give permission to the Span Azure AD application to access the Azure AD information.
This is likely to be at a URL of the form https://<hostname_of_pingfederate_server>:9999/pingfederate/app
If the OAuth Server tab is not visible, it's likely that your PingFederate server is not configured for OpenID Connect. Refer to the PingFederate administrative guide to complete this step.
The next steps guide you through how to add an OpenID Connect Policy for Span, which maps an appropriate directory attribute onto the sub claim.
For example, a user principal name, unique username or (if you can guarantee it is unique per user in your directory) an e-mail.
This secret will be used as the client secret when configuring Span.
9. Set the Allowed Grant Types to Authorization Code
10. Select the Policy you created earlier
11. Click Save
The last piece of information you will need before configuring Span is your PingFederate server’s hostname, which by default is on port 9031. Therefore, the URL will appear as https://<hostname of Ping server>:9031/
This dashboard can likely be found at https://<your_company>.onelogin.com/admin
The URL should resemble the following: https://<your_company>.onelogin.com/oidc/
NOTE: OneLogin had announced that OIDC v1 will be end-of-life on January 26, 2021. Span subscriptions with OneLogin configuration will need to be upgraded to v2 by span admins. In many cases, the upgrade is as simple as changing the Issuer Endpoint.
Press the back button on the top left of the page to return to the Subscriptions page
A verified domain allows a subscription administrator to configure SSO only for users belonging to the same domain. If the domain has not been verified, the subscription administrator will not have the ability to configure the users belonging to that domain for SSO.
For example, if nureva.com is a verified domain, then the subscription administrator can link SSO to the users under the @nureva.com domain. If a user exists with an @gmail.com domain, the subscription administrator will not be able to configure SSO for the user.
For more information regarding your domain ownership, see our Domain ownership for SSO article.
Keep in mind it can take up to 48 hours for a domain to be verified.
A checkmark will appear next to the user if they have been successfully connected.
New users will need to activate their Span Workspace account in the welcome email. Once they've set their password, they will be able to log out and then log back using your SSO provider.
When the user signs into Span Workspace in their web browser, they will be given the option to sign in with your SSO provider.
Last updated: May 20, 2020