Overview
- Single sign-on (SSO) allows you to integrate your existing identity providers (IDPs) with Starshipit.
- SSO provides a seamless and secure login experience for your users while maintaining full control over access and security policies.
- This also means that your existing IDP system can provide MFA for your logins.
- Learn more about user management with Starshipit.
Table of contents
- Why SSO?
- Prerequisites
- Set up
Why SSO?
Enterprise organisations often have centralised user identity stores and mature processes for managing user access. With our new SSO feature, you can leverage your existing systems, such as Azure Entra ID (formerly Azure AD), Okta, and others, to manage access to our platform. Some of the benefits of using SSO are:
- Full control over user access and security policies, including MFA requirements, password complexity, and access token lifespan.
- Streamlined user onboarding and offboarding processes.
- Enhanced security through centralised management of login events, password resets, and MFA.
- Simplified access management without reliance on third-party support.
Prerequisites
- You must have users already set up in Starshipit as your identity provider will map to existing accounts.
- The Starshipit account email must be the same as the email address in your identitify provider.
Set up
Okta
- In the Okta dashboard, navigate to Applications.
- Click Add App.
- Select OIDC - OpenID Connect for the Sign-in method.
- Select Web Application for the Application type.
- Under Sign-in redirect URIs, enter the callback URL provided by Starshipit.
E.g. https://auth.starshipit.com/oidc/{your_tenant_name}/callback
- Ensure the scopes openid, profile and email are included.
- Copy the following values from Okta and send it securely to Starshipit:
- Client ID
- Client Secret
- Okta OIDC Issuer URI
- Okta provides default claims. If customisation is required, configure these under Mappings.
- Assign users or groups to the application.
Auth0
- In the Auth0 dashboard, navigate to Applications > Create Application.
- Select Regular Web Applications.
- Under the Settings tab, locate the Allowed Callbacks URLs field.
- Enter the callback URL provided by Starshipit in that field.
E.g. https://auth.starshipit.com/oidc/{your_tenant_name}/callback - Ensure the scopes openid, profile and email are included.
- Copy the following values from Auth0 and send it securely to Starshipit:
- Client ID
- Client Secret
- Issuer URI
- If additional claims need to be mapped, go to Rules or Actions and create a rule to modify tokens.
- Save your settings.
Entra ID (Azure Active Directory)
- In Azure, navigate to Azure Active Directory > App registrations > New registration.
- Under Redirect URIs, enter the callback URL provided by Starshipit.
E.g. https://auth.starshipit.com/oidc/{your_tenant_name}/callback - Choose Web as the platform.
- Ensure the scopes openid, profile and email are included.
- Copy the following values from Entra ID and send it securely to Starshipit:
- Client ID
- Client Secret
- Issuer URI
- If token claims require customisation, configure these under Token configuration.
- Assign users or groups and configure API permissions as required.
Other (Older Identitify Providers that use SAML and LDAP are not supported)
- In your Identity Provider (IdP) dashboard, navigate to where you can create/manage applications.
- Create a new application and select OIDC or OpenID Connect as the protocol.
- In the application configuration, locate the Redirect or Callback URL field.
- Enter the callback URL provided by Starshipit in that field.
E.g. https://auth.starshipit.com/oidc/{your_tenant_name}/callback - Ensure the scopes openid, profile and email are included.
- Copy the following values from Okta and send it securely to Starshipit:
- Client ID
- Client Secret
- Issuer URI/Authority
- Map additional claims as needed.
- Save your settings.
Once the Starshipit team has enabled SSO for your organisation, you can start using your new SSO auth by logging in via your dedicated login URL e.g. https://auth.starshipit.com/oidc/{your_tenant_name}.
Alternatively, you can use the Continue with SSO button on the Starshipit login page and enter {your_tenant_name} in the box when prompted for your SSO domain.
Note
The embedded Shopify app has strict cookie and external authentication provider restrictions. As such, customers wanting to sign in using SSO must use Starshipit in a separate browser tab.
Comments
0 comments