Single sign-on authentication

The Stadium Application Manager enables you to set up your Single sign-on Authentication details for deployed applications.

Steps:

1. Enter an administrator Email and Name. The email address must be registered with your Authentication service provider.

2. Take note of the following details that are provided by Stadium, which will be required by your Authentication service provider:

   • Redirect URL

   • Logout Redirect URL

3. Select your OIDC Provider (i.e. Authentication service provider):

   • AuthO

   • Okta

   • Microsoft Entra ID (previously known as Azure AD or Azure Active Directory)

   • Generic Provider

4. The following fields must be completed with the details that you will obtain from your Authentication service provider:

   • Domain (only AuthO and Okta)

   • Client ID

   • Client Secret

   • API Resource Name (only Generic Provider)

   • API Resource Secret (only Generic Provider)

   • Role Claim Name (only AuthO and Okta)

   • Tenant ID (only Azure AD)

   • Audience (only Generic Provider)

   • Scopes (only Generic Provider)

Auth0

1. Select Auth0 as your OIDC Provider.

2. Go to auth0.com.

3. Under Applications > Applications, click on Create Application.

4. In the Create application popup, under Choose an application type, select Single Page Web Applications.

5. Under the application Settings.

6. Under Application URIs:

   • set Allowed Callback URIs to https://localhost/{webAppName}/callback

   • set Allowed Logout URIs to https://localhost/{webAppName}/logout

   • set Allowed Web Origins to https://localhost/{webAppName}

7. Send back User Roles in the ID Token (see https://community.auth0.com/t/how-to-add-roles-and-permissions-to-the-id-token-using-actions/84506)

Okta

1. Select Okta as your OIDC Provider.

2. Register an account on okta.com.

3. Under Applications > Applications, click on Create App Integration.

4. In the Create a new app integration popup:

   • Under Sign-in method, choose OIDC - OpenID Connect.

   • Under Application type, choose Single-Page Application.

5. On the New Single-Page App Integration, ensure the following settings:

   • Grant type, check only Authorization Code.

   • Sign-in redirect URIs, https://localhost/{webAppName}/callback.

   • Sign-out redirect URIs, https://localhost/{webAppName}/logout.

6. Under Directory > People:

   • Select the user whose email was used during deployment.

   • Click on Assign Applications.

   • For the respective application, click on Assign.

   • Click on Save and Go Back, Done.

To set up groups in Okta:

1. Under Directory > Groups, add and assign a group to People and/or Apps.

2. Under Security > API, select the relevant Authorization Server (e.g.: default).

3. In the Claims tab, add a new claim for the roles (a.k.a. groups):

   • Name: value corresponding to the role claim name entered during the Stadium app deployment.

   • Include in token type: ID Token; Always.

   • Value type: Groups.

   • Filter: Matches regex; .* (or any other desired filter).

   • Include in: Any scope.

Microsoft Entra ID

1. Start in MS Entra ID:

   1.1. Set up your app in MS Entra ID. See Quickstart: Register an application with the Microsoft identity platform.

2. Move over to SAM:

   2.1. Select MS Entra ID as your OIDC Provider. 2.2. Enter the relevant details obtained from MS Entra ID (see the page you left open):

   • Directory (Tenant) ID('s) - add a single tenant or a list of tenants, separated by commas.

   • Client ID. 2.3. Take note of the Redirect URL and Logout URL. These values will be used in the last step when finishing the registration in MS Entra ID.

3. Back in MS Entra ID, on your registered app:

   3.1. Navigate to Manage > Authentication.

   3.2. Click 'Add a platform' and select 'Single-page application.'

   3.3. Set the "Redirect URI" and "Front-channel logout URL" found in SAM (See Step 2.3 to find these values).

   3.4. Click Configure.

   3.5. Lastly, configure roles on your application. For detailed steps on the Azure AD setup, go here.

Generic Provider

1. Select <Generic Provider> as your OIDC Provider.

2. Sign in to the relevant Authentication service provider's portal, e.g. console.developers.google.com for Google authentication.

3. Complete the necessary app registration steps on your provider's portal, providing the required details you receive from Stadium, e.g. Redirect URL and Logout Redirect URL, as well as retrieving the details from the provider that you have to enter on Stadium, including:

   • Client ID

   • API Resource Name

   • API Resource Secret

   • Audience

   • Scopes