# Single Sign-On (SSO)

## Overview

SSO is an authentication method that enables users to securely access multiple applications and websites by using one set of login credentials. 

parcelLab offers SSO implementation for industry-standard protocols for identification, such as Azure Active Directory (AD) SAML 2.0 and OpenID Connect (for example: Google OAuth). This feature also includes the flexibility to implement custom identity providers. 

## Configuring SSO for <code class="expression">space.vars.Product\_pLApp</code> Access

parcelLab supports SSO using SAML 2.0 and OAuth as authorization methods.&#x20;

Information about the implementation process is described in the following sections.

{% hint style="info" %}
For further queries on the scope and requirements of implementing SSO, please contact your parcelLab representative.
{% endhint %}

### Customer Requirements

To set up SSO with established identity providers, the information you need to provide is based on the identity provider. Details about the most common providers are listed below.

By default, all newly logged-in users will get "Guest" access rights and will only be able to view their user profile in the parcelLab App. Client administrator users will need to adjust the access rights for each user in the User Management module.

#### SAML

This section describes the requirements for implementing SSO with SAML 2.0.

For the implementation to work, you need to provide the following information:

* Discovery Endpoint URL (that is: the URL for your SAML identity provider's metadata)
  * The URL has the following pattern: [https://login.microsoftonline.com/{uuid}/federationmetadata/2007-06/federationmetadata.xml?appid={uuid}](https://login.microsoftonline.com/%7Buuid%7D/federationmetadata/2007-06/federationmetadata.xml?appid={uuid})&#x20;
* Your service provider's ID for the application\ <img src="https://1156682959-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LPf1Lv1YUuLYva6LrXQ%2Fuploads%2FOTp98eg5aKrRaMP83dPQ%2FSSO_Service%20Provider%20ID.png?alt=media&#x26;token=e0708ad4-acab-48af-9d81-1f8fdd1edfec" alt="Service provider&#x27;s ID highlighted for the application" data-size="original">&#x20;
* A screenshot or table of the configured claims for the SAML token\ <img src="https://1156682959-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LPf1Lv1YUuLYva6LrXQ%2Fuploads%2F9DqY2I9mTna14RZxyYTU%2FSSO_Attributes%26Claims%20List.png?alt=media&#x26;token=44827c0b-5791-482f-8394-dce2f62a23a9" alt="Configured claims for the SAML token" data-size="original">

#### OpenID Connect

This section describes the requirements for implementing SSO with OpenID Connect. &#x20;

For the implementation to work, you need to provide the following information:&#x20;

* Discovery Endpoint URL (that is: the URL for the Open ID configuration)
  * The URL has the following pattern: [https://{domain}/{optionalPath}/.well-known/openid-configuration](https://{domain}/%7BoptionalPath%7D/.well-known/openid-configuration) (for example: <https://accounts.google.com/.well-known/openid-configuration>)
* Client ID (that is: the unique identifier for your registered application)
* Client Secret (that is: the password (string) of your application)

### Implementation Process

In this section, the implementation process for SSO integration is described.&#x20;

When parcelLab has the required information, the integration process can begin.&#x20;

#### Adding Redirect URLs to Your Configuration

After implementing the SSO connection, parcelLab will provide redirect URLs that you need to add to your SAML or OIDC connection.&#x20;

After you have added the redirect URLs to your configuration, your users can use their corporate login credentials to sign in to parcelLab.