Setting up SSO (single sign-on)

Set up your SSO provider, verify your domain, and add users for single sign-on.

Span™ Workspace uses Windows® Azure® Active Directory®, Okta™, PingFederate® or OneLogin™ to enable single sign-on (SSO). Once Span Workspace has been added to the SSO provider, a subscription administrator can enable SSO for subscription users. SSO is compatible with both Span Workspace wall client and Span Workspace web client. However, it's necessary to sign in to SSO using the web client before it'll be available in the Span Workspace wall client.

The steps below will guide an administrator through setting up Span Workspace with their SSO account and then configuring their SSO settings within the Span Workspace web client.

To see an example of a Span Workspace SSO user experience, see our Using SSO with Span Workspace article.

Setting up your service provider

Click on the header of your SSO service provider below to view instructions on setting up your service provider to be compatible with Span Workspace.

Setting up Azure AD

  1. Log into the Azure portal at as an Azure AD administrator
  2. Navigate to Azure Active Directory and go to Enterprise applications
  3. Select  Add applications and choose the New application tab
  4. Fill in the following information:
    • Name: Nureva Span
    • Supported account  types: Accounts in this organizational directory only
    • Redirect URI:
  5. The application has now been added. Record the Display name, Application ID, and Directory ID for use in the Set-up SSO section at the bottom of this page.
  6. Open your Azure settings and go to Certificates and Secrets
  7. Choose New client secret
  8. Enter a Description for the secret and under Expires choose when your secret will expire.
  9. Select Add
  10. Return to your Azure settings and choose Authentication
  11. Delete the default URL (e.g.
  12. Add the following reply URLs:
  13. Navigate back to the Azure Active Directory
  14. Choose Save 

Administrator application permissions

By default, whether or not a user grants the Azure AD application access to Azure AD information is up to the user. However, if the Azure AD client is configured to require an administrator's permission, the administrator must give permission to the Span Azure AD application to access the Azure AD information.

  1. From the Azure settings choose API Permissions
  2. Click the Grant admin consent for [company name] button
  3. Enter the admin user credentials
  4. Click Accept

Setting up Okta

  1. Sign on to your Okta administration dashboard. The URL may look like "https://<your_company>".
  2. Hover over the API tab and click on Authorization Servers
  3. Record the issuer URI for the authorization server named "default." You will need this URI in the Setting up SSO section.
  4. Edit the ‘default’ authorization server
  5. Select the Claims tab
  6. Click Add Claim
  7. Set the name to ‘span_login_key’, include it in ID Token and set the Value to an attribute that uniquely identifies the user in your directory and is accessible or known by the Span subscription admin. (e.g. user.username)
  1. Click Save
  2. Record the Issuer URI of the ‘default’ Authorization Server. This will be needed as the Base URL when configuring Okta in Span

Adding Span as a valid App in your Okta

  1. Navigate to the Applications tab and then click Add Application
  2. Choose the Web option and click Next
  3. Set the Name to “Span” and the Base URI to
  4. Add the following Login redirect URIs:
  1. Make sure the "Grant type allowed" is set to Authorization Code
  2. Click Done
  3. Find the Client ID and Client secret and record them, as you will need them when configuring Span

Setting up PingFederate

  1. Sign on to your PingFederate administration dashboard

This is likely to be at a URL of the form https://<hostname_of_pingfederate_server>:9999/pingfederate/app

  1. Click on the OAuth Server tab on the left-hand menu

If the OAuth Server tab is not visible, it's likely that your PingFederate server is not configured for OpenID Connect. Refer to the PingFederate administrative guide to complete this step.

The next steps guide you through how to add an OpenID Connect Policy for Span, which maps an appropriate directory attribute onto the sub claim.

  1. Click OpenID Connect Policy Management 
  2. Go to Add Policy
  3. Enter a policy ID, Name and select an Access Token Manager
  1. Click Next
  2. Under Attribute Contract, delete all the extended attributes. They aren't required by Span Workspace.
  1. Click Next until you reach the Contract Fulfillment screen
  2. Fulfill the sub contract with a Source and Value that uniquely identifies the user in your directory and is accessible or known by the Span subscription admin – they will need it later to link Span users to their SSO account.

For example, a user principal name, unique username or (if you can guarantee it is unique per user in your directory) an e-mail.

  1. Click Done

Add a Client

  1. Under the Clients heading, click Create New
  2. Choose a value for the Client ID. Record this client ID for use when configuring Span.
  1. Set a Name and Description that will remind you or other administrators that this is the Span client
  2. Set Client Authentication to Client Secret
  3. Click Generate Secret
  4. Record the generated secret for later

This secret will be used as the client secret when configuring Span.

  1. Add the following Span re-direct URLs:

    9. Set the Allowed Grant Types to Authorization Code

 10. Select the Policy you created earlier

 11. Click Save

The last piece of information you will need before configuring Span is your PingFederate server’s hostname, which by default is on port 9031. Therefore, the URL will appear as https://<hostname of Ping server>:9031/

Setting up OneLogin

  1. Sign on to your OneLogin administration dashboard.

This dashboard can likely be found at https://<your_company>

  1. Hover your cursor over the Apps tab and click Add Apps
  2. Search for and select "OpenID Connect (OIDC)"
  1. In the Display name field, type in "Span"
  2. Click Save
  3. Go to the Configuration tab
  4. Configure the following:
  1. Go to the Parameters tab
  2. Set Credentials to "Configured by Admin"
  3. Click Add parameter
  4. Set the field name to "span_login_key"
  5. Click Save
  6. Set the value of the new parameter to an attribute that uniquely identifies the user in your directory and is accessible or known by the Span subscription admin. For example, userPrincipleName.
  1. Click Save
  2. Go to the SSO tab
  3. Take note of the Client ID and the Client secret. You'll need these later when configuring SSO in Span Workspace.
  4. Record the OpenID Provider Configuration Information, excluding the ".well-known/openid-configuration" part of the ID. You will need this URL later when configuring Span Workspace.

The URL should resemble the following:  https://<your_company>

  1. Make sure the Application Type is set to "Web"
  2. Set the Token Endpoint Authentication Method to POST
  3. Click Save

NOTE: OneLogin had announced that OIDC v1 will be end-of-life on January 26, 2021. Span subscriptions with OneLogin configuration will need to be upgraded to v2 by span admins. In many cases, the upgrade is as simple as changing the Issuer Endpoint.

Setting up SSO

  1. As a subscription administrator, log into Span Workspace using your Chrome™ internet browser
  2. Click your name on the top-right corner of the page
  3. Select Subscriptions
  4. Click the SSO link in the Manage column
  5. Click Add identity provider
  6. Input your company’s SSO provider's Span Workspace information
  1. Click Add. You'll be redirected to your SSO provider's page. Log in with your administrator credentials. You will then be redirected back to your SSO page where the identity provider will now be added.
  2. You can edit or remove the identity provider from the three-dot menu.

Press the back button on the top left of the page to return to the Subscriptions page

Verify your domain

A verified domain allows a subscription administrator to configure SSO only for users belonging to the same domain. If the domain has not been verified, the subscription administrator will not have the ability to configure the users belonging to that domain for SSO.

For example, if is a verified domain, then the subscription administrator can link SSO to the users under the domain. If a user exists with an domain, the subscription administrator will not be able to configure SSO for the user.

For more information regarding your domain ownership, see our Domain ownership for SSO article.

  1. Click Domains on the subscription page
  2. Follow the steps shown to verify your domain(s)
  3. Once you've followed the steps, confirm that a verified domain has been added under the “Add verified domain” button

Keep in mind it can take up to 48 hours for a domain to be verified.

Configure users for SSO

  1. Go to the subscriptions page
  2. Click Users
  3. Open the three-dot menu for the user that will be configured through SSO
  4. If you need to add a user to the subscription, follow the steps in the Adding user accounts articles.
  5. Open the three-dot menu of the user you just added and select Manage SSO
  6. Enter the user's UPN number from your SSO provider
  7. Click OK

A checkmark will appear next to the user if they have been successfully connected.

New users will need to activate their Span Workspace account in the welcome email. Once they've set their password, they will be able to log out and then log back using your SSO provider.

When the user signs into Span Workspace in their web browser, they will be given the option to sign in with your SSO provider.

Last updated: May 20, 2020

Was this article helpful?

Can’t find what you’re looking for?

Contact Support