Single Sign-On

Overview

In v2.8 and above Wallboard supports Single Sign-On (SSO). With this feature you are able to use almost any third-party identity providers, like Microsoft Azure AD, Okta or your own. There is a social login option which allows you to login through Google or Microsoft with your email address. Basically any identity provider is supported which uses SAML v2.0 or OpenID Connect v1.0.

SAML v2.0 integration

If you want to use SAML v2.0 we need some information in order to configure it correctly. First of all you have to send your Idp metadata url. After that we will send back the Sp metadata file to you which you have to import into your Idp. Tell us when you have done that and we will enable it on your server and you can try it out.

OpenID Connect v1.0 integration

In order to use OpenID Connect there are some configuration steps we have to do.

We will need the following things:

Authorization URL
Token URL
Optional Logout URL
Client ID
Client Secret
Scopes if they differ from "openid profile email"

After this we will send you back the callback redirect URI what you have to enable.

SSO configuration for Wallboard server administrators

You can find the settings under Administrator -> System settings

SSO rules:

SSO enabled
- Enable/disable SSO in the system
Valid redirect domains
- Write your server's domains here. (e.g. beta.wallboard.Geomant.com)
- If this attribute is missing then the SSO callback will be refused. (Customer level white-labeled domains automatically approved.)
Enable user authentication with email only.
- Every user can login with their email address. No further map-able role or customer information needed from the identity provider.
Enable automatic user creation when role and customer information is given
- When it's disabled the user have to exist in Wallboard before they want to login with SSO.
Enable public user registration
- This option should only be used in on-premise scenarios. Any user coming from SSO who is not exists in the system will be automatically created.

Keycloak SSO settings:

Wallboard uses Keycloak as authentication broker. It's always required to configure in order to use SSO. You can use your own Keycloak if you want but we recommend to use our official one. To enable the Social logins (Google/Microsoft) globally for the system you need the following configuration:

If you need more details about the configuration please contact us.

First of all, set up your own white-labeled domain by this guide.

Under Settings -> White Label there is a block called Single Sign-on Settings.

This settings will only apply to the specific client.

To be able to use this feature we'll have to create the Keycloak realm and the client id, and of course we need all the information about your identity provider (see at SAML or OpenID Connect integration). If you are an advanced Keycloak user we can give you a realm admin which you can use to do further configuration.

If SSO login only enabled then your users will only be able to login from the configured identity provider. This is a very useful feature if you want to rely completely on SSO.

Set-up 2-factor authentication

Furthermore, if SSO login only enabled your users will be able to set up 2-factor authentication. To do this open your profile and click on the "NAVIGATE TO SSO" button. This will navigate to a new tab where the users can configure their Keycloak account.

The 2-factor authentication options can found under Authenticator menu. You just have to open Google Authenticator on your phone and add a new site by the QR code.

On-premise SSO solution

With the options we detailed above and our help, you'll be able to use any kind of SSO with unlimited capabilities. If you want to go super secure or the system runs inside a VPN and cannot reach the internet, but you still want to use your internal identity provider we can install and configure a private Keycloak for you.