Configuring SSO Login

2 Minutes to read

Print
Share
Dark
Light
PDF

Article Summary

Share feedback

Thanks for sharing your feedback!

General Information:

Single sign-on (SSO) is a time-saving and highly secure user authentication process. SSO lets users access multiple applications with a single account and sign out instantly with one click.

Panaya supports SSO. To provide single sign-on services for your domain, Panaya acts as a service provider (SP).

To get started, you need an OpenID Connect Identity Provider (IdP) to handle the sign-in process and provide your users’ credentials to Panaya.

The only information required by Panaya is the user’s email.

When users authenticate themselves through your IdP, their account details are handled by the IdP. Panaya does not store any passwords.

To configure your OpenID Connect SSO you need:

The client ID
The client secret
The OpenID Connect endpoint URLs

This article is for our SAP, Oracle and Salesforce users who want to login with their organizational login credentials.

Salesforce users who want to login with their Salesforce credentials, click here

Note
The Token URL must be accessible from outside of your organizational secured servers

We will require an OpenID Scope Claim, please configure your IDP with the following authorized scopes:
openid and email
More information about these standard scopes can be found in the OpenID official documentation.

For Azure and other OAuth integrations - verify you 'Add additional claims' in the 'Token Configuration' menu.

Select ID in Token type and choose 'email' and 'auth_time' and save both claims. As in here:

To allow users to seamlessly login to Panaya using their own organizational credentials, follow the instructions below:

Click on the Settings button to open up the Settings panel.
In the Security section, select View & Manage Single Sign On (Open ID Connect)
Fill in the details, and click Save.

Note: To determine your Authentication and Token Urls (endpoints), invoke your IDP's OpenID Connect metadata URL, also known as the openid-configuration page, and look for the authorization/token endpoints. The metadata openid-configuration page url may look something like this:
https://idpname.my.idaptive.app/Panaya/.well-known/openid-configuration
https://econnect.yourcompany.com/.well-known/openid-configuration

Once you get the correct Urls, fill them in below, along with the Client and secret IDs:
Click on Check Configuration
On the right-hand side of the screen, use your organizational login credentials to log in.
This will verify the success of the configuration.
For Redirect URL on your IDP use - https://my.panaya.com/api/oauth/authenticate or https://emea.panaya.com/api/oauth/authenticate (depending on your specific Panaya site).

Here are some useful resources -
- Azure
- Okta
- Ping
  - “Refresh Token” grant type must be enabled.
If the configuration is successful, the following confirmation message would appear.
Click on Continue To Log In With SSO. This will verify the IDP configuration and will allow you to re-login to Panaya via SSO.
To roll out the configuration to all organizational users, click on Roll Out To All Users.
The Identify Provider Configuration will show as Active.
Users should now be able to log in via SSO login with their organizational credentials.
To deactivate SSO and roll back to Panaya login, click on deactivate SSO Configuration.

See also
SSO Common Issues

Known Limitation
When setting the PING IDP OAuth connection, the Tests e-sign cannot be used in Panaya. This is due to the implementation of OIDC.

What's Next

SSO Configuration - common issues