November 29th, 2021 by Adam Sandman
In Spira version 6.4 we added support for Single Sign On (SSO) using the industry standard OAuth 2.0 protocol. In our upcoming v6.14 release of Spira we have extended the range of SSO providers we support to include both the popular OneLogin service and also generic OpenID Connect providers, opening the door for any company that has an OpenID Connect compatible authentication system to use it with Spira.
Spira OAuth Support
When we first released the OAuth single signon functionality in Spira 6.4 we provided support for the following providers based on feedback from our customers:
- Microsoft Active Directory Federated Services (ADFS)
- Microsoft Azure Active Directory (AzureAD)
- GitHub
- GitLab
- OKTA
Based on requests from our customers since v6.4's release, we have added support for OneLogin as well as a generic option for other OpenID Connect compliant providers.
Spira SSO Support for OneLogin
When you enable the new provider for OneLogin, you will see that option available on the login page:
When a user clicks on the button, they will be redirected to the OneLogin login page as configured for your company:
From here they can use the normal OAuth flow and either link their OneLogin account to an existing Spira account, or simply create a new unapproved Spira account "on the fly", and a system administrator can then approve that account.
Inside Spira, you simply use the standard OAuth parameters to configure the provider:
- Client ID
- Client Secret
- Authorization URL
- Token URL
- Profile URL
Inside OneLogin, you will configure a new "OpenID Connect (OIDC)" application and use that to generate the parameters, secrets and URLs needed by Spira:
Spira Support for OpenID Connect
In addition, we have now added a generic "OpenID Connect" provider option for anyone who needs to use Spira with an OAuth 2.0 / OpenID Connect based single-sign-on solution that is not otherwise listed.
This provider only uses the minimal number of required "OAuth 2.0" claims and therefore should work with any OAuth 2.0 based solution that doesn't deviate from the OpenID Connect standard.