Integrations & Exports
      Back to home
      1. GovSpend Help Center
      2. Integrations & Exports

      GovSpend Single Sign On: Custom SSO Set Up

      This article reviews single-sign-on options available to GovSpend customers and how to move forward with implementation

      GovSpend Single-Sign-On

      External Identity Providers 

      GovSpend is happy to support customers who prefer to use their company’s SSO provider to manage access to our platform for their users. Setup is quick and easy, and we support authentication through the majority of 3rd party SSO solutions as well as proprietary solutions built on industry standard frameworks, including:

      Implementation Phases

      This guide will help you understand the various integration phases and provide the necessary information for a smooth implementation. 

      1. Preparation
      2. Configuration
      3. Deployment & Testing
      4. Support & Maintenance

      Preparation: 

      If you’d like to configure your account to utilize your company’s SSO provider, please reach out to your dedicated relationship manager who can initiate the setup process. To help us configure SSO to best meet your needs, please share responses to the questions below:

      • Which Identity Provider (IDP) will you use for SSO (e.g, Okta, Entra)?
      • Would you prefer to disable standard email/password login entirely or allow your users the option of signing in using both SSO and standard login methods?

      Follow the below steps to configure your SSO depending on whether you use OpenID Connect (OIDC) or SAML Standard. Once complete, please send GovSpend the items in bold so we ca proceed with configuration on our end.

      OpenID Connect (OIDC) Set Up:

      1. Set up a client that will redirect to:

        https://auth.govspend.com/__/auth/handler

      2. Provide GovSpend with the following information:

        1. Issuer (URL): Example - https://auth.example

        2. Alphanumeric Client ID

        3. Client Secret

      SAML Set Up: 

      1. Set up a client that will redirect to:

        https://auth.govspend.com/__/auth/handler

      2. Provide GovSpend with the following information:

        1. Entity ID (of your SAML identity provider)

        2. SSO URL

        3. Certificate used to sign the SAML assertion

        4. Service Provider Entity ID (Optional): This should be the entity id given to GovSpend in your SAML identity provider, example - https://yourapp.example.com/saml/sp

        5. Please make sure the SAML response complies with the following requirement - https://cloud.google.com/identity-platform/docs/web/saml#provider_required_elements

        Configuration

        Once we have all the required information as requested above, we will initiate the configuration of your custom SSO tenant, which includes the following:

        • Creation of a dedicated URL that can be hosted in your centralized login portal, or otherwise distributed to your users. This URL can be shortened for ease of use, e.g.  “companyname.govspend.com”.

        Deployment & Testing

        • Once you have set up a client that will redirect to https://auth.govspend.com/__/auth/handler and we have completed initial configuration of your custom SSO tenant, we will reach out to you with your new dedicated SSO link.
        • Perform the following steps to test that the link is working as expected:
          • Make sure you are logged out of GovSpend before testing
          • Click the custom SSO link and confirm you are successfully logged into GovSpend
          • Navigate to https://app.govspend.com and confirm you see a custom button with your organization name. Click that button and confirm you can successfully log into GovSpend.
           
          • Note: If you would like to set up a sandbox testing environment, please reach out and we can help coordinate that.
        • Once you have completed testing successfully, we suggest the following deployment steps:
          • Share the new link with your GovSpend users and communicate a timeline to start using the link
          • Suggest that users bookmark this new link so they can always get to it easily
          • Once your users have all successfully logged in via SSO, let the GovSpend team know if you would like to disable the traditional email/password login method. This would ensure the only available login method to users in your account would be your custom SSO URL. 

        Self-Registration:

        If you are setting up SSO with a custom tenant, self-registration/auto-provisioning applies to any new user logging in via the account's custom SSO URL. If the user already exists in GovSpend and they are logging in via the SSO URL for the first time, their account will be auto-verified and they'll automatically log into GovSpend. 

        Support & Maintenance

        If you need additional support, please reach out:

        • Contact your dedicated Relationship Manager
        • Email us at Support@govspend.com
        • Use our in-product chat support to contact our Customer Support team
        • Call us at (954)-420-9900

        Frequently Asked Questions

        Are there SSO options available that don't require additional set up?

        Yes. Our standard login page at app.govspend.com provides support for a couple of login options natively, provided the user enters a valid corporate email address that can be authenticated with your active directory. The current SSO providers supported on the main login page in GovSpend are Linkedin and Google. If those options work for you, you can get started immediately without any additional set up.

        SSO1

        You may opt to disable certain login options to direct users to a single option, and if so we can assist you with that setup.

        Are users auto-provisioned when logging into GovSpend for the first time using a custom SSO tenant?

        Yes. If you are setting up SSO with a custom tenant, self-registration/auto-provisioning applies to any new user logging in via the account's custom SSO URL. If the user already exists in GovSpend and they are logging in via the SSO URL for the first time, their account will be auto-verified and they'll automatically log into GovSpend. 

        When a user logs in via the custom SSO link the system will:

        • Sign In: If the user already has an existing account, they will be signed in automatically.
        • Sign Up: If the user does not have an account, a new account will be created for them seamlessly, they will be auto-verified by the system, and they will be logged into GovSpend.

        Are users auto-provisioned when logging into GovSpend using the default SSO options?

        No. If you are not using a custom tenant, and simply utilizing one of the default SSO options on the GovSpend login page (app.govspend.com), users will only be able to login if that email already exists in GovSpend. Adding/removing users for default login methods can be done by anyone in your organization  with GovSpend Admin permissions.

        Do you have any documentation to help with setting up SSO using Okta?

        Yes. Please reference the videos below with a sample Okta set up using SAML or OIDC to help walk through what you need to do on your end before GovSpend can configure your custom SSO:

        Terminology

          • Identity Provider (IDP) - An Identity Provider (IdP) is a system that manages user identities and provides authentication services. It verifies user credentials and issues tokens to enable access to other services or applications.
          • Tenant - A logical separation of users (for a microsite instance or a specific account within a microsite instance) and what identity providers they can use to authenticate with the Google Identity platform.
        • Issuer URL - Refers to the unique URL that identifies the Identity Provider (IdP) in an SSO setup. It is used to specify the entity that issues authentication tokens or assertions, which are then used to verify a user's identity to Service Providers (SPs).
        • Client ID - The provided OpenID Connect Client Id from the customer’s SSO questionnaire.
        • Client Secret - The provided OpenID Connect Client Secret from the customer’s SSO questionnaire.
        • Entity ID - This is the SAML provider’s Entity ID (Issuer). In the SAML protocol it serves the purpose of describing what is the entity performing the authentication and sending the response back to the GovSpend application (the SAML Service Provider).
        • SSO URL - This is the SAML provider’s SSO URL. It will be used to redirect the user to a location/page to authenticate with the provider once the SAML flow is started.
        • Service Provider Entity ID - This is the Entity ID of our application that is presented to the SAML provider. In most cases that is actually not required or provided by the customer and the SAML provider will be able to authenticate with just the rest of the provided configuration. If not explicitly specified or required by the customer, the convention so far is to use the GovSpend application home page https://app.govspend.com.