Skip to content

Single Sign-On (SSO) Configuration

This page allows administrators to configure Single Sign-On (SSO) for a company, enabling users to log in using their existing corporate identity provider (IdP) instead of creating separate credentials for this platform.

This feature utilizes OpenID Connect (OIDC), an identity layer built on top of the OAuth 2.0 framework. It allows clients (like this platform) to verify the identity of the End-User based on the authentication performed by an Authorization Server (the company's IdP), as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. By configuring OIDC, you delegate the authentication process to the company's chosen IdP, enhancing security and simplifying user access.

OIDC diagram.png

Enabling SSO

  1. Navigate to the company's settings page where the "Single Sign-On" section is located.
  2. Tick the "Enable single sign-on" checkbox. This will reveal the configuration fields.

Configuration Fields

If SSO is enabled, you must provide the following details obtained from the company's identity provider (e.g., Azure AD, Okta, Google Workspace):

  • Discovery URL: Enter the OIDC Discovery Document URL provided by the IdP. This URL typically ends in /.well-known/openid-configuration and allows the platform to automatically fetch necessary endpoint information and keys from the IdP.
  • Client ID: Enter the unique Client ID assigned to this application when registering it with the IdP.
  • Client Secret: Enter the Client Secret associated with the Client ID. Treat this value as confidential.
  • Email Domains: Specify the email domains that are allowed to authenticate via this SSO connection. Add one domain per entry (e.g., mycompany.com). Users attempting to log in via SSO must have an email address belonging to one of these domains. Use the editable list component to add or remove domains.

Platform URLs

The following URLs are automatically generated based on the system's configuration and the company ID. You will likely need to provide these URLs to the IdP when configuring the application on their side:

  • Redirect URL: This is the URL where the IdP should send users back after they have successfully authenticated. Copy these URLs and configure them as the allowed "Redirect URI" or "Callback URL" in the IdP settings for this application. There are two redirect URLs, one for general desktop use, and one specific to the CityCity mobile app.
  • Logout Redirect URL: This is the URL where the IdP should send users back after they have logged out. Configure this in the IdP if it supports post-logout redirection.
  • Company SSO URL: This is the platform-specific URL that can initiate the SSO login flow for this company. You might provide this URL directly to users or use it in internal portals.

Saving Changes

  • Click the "Save" button in the top-right corner of the card to apply your changes.