Single Sign-On (SSO) Support

Documentation Configuration & Installation
,
1

Specify 7.7 includes Single Sign-On (SSO) integrates Specify 7 with a campus or institutional identity providers. It supports all identity providers (IdPs) that have an OpenID endpoints.

SSO reduces the number of attack surfaces because users only log in once each day and only use one set of credentials. Reducing login to one set of credentials improves institutional security. When users have to use separate passwords for each app, they usually don’t.

For the most up-to-date SSO documentation, please refer to our GitHub project (See below the OAUTH_LOGIN_PROVIDERS heading in the specify_settings.py resource).

OAUTH_LOGIN_PROVIDERS 
OAUTH_LOGIN_PROVIDERS = {
    # # Provider key represents the provider in the Specify system.
    # 'google': {
    #     # The title is displayed to the user in the UI.
    #     'title': "Google",

    #     # Obtain the client id and secret during the identity provider setup.
    #     'client_id': "**********.apps.googleusercontent.com",
    #     'client_secret': "*********************",

    #     # Specify will look for the OIC discovery endpoint at the below
    #     # url + '.well-known/openid-configuration'.
    #     'config': "https://accounts.google.com",

    #     # The OIC scopes to requests. Should include at least openid and email.
    #     'scope': "openid email",
    # },

    # # A working Phantauth config for test purposes only.
    # 'phantauth': {
    #     'title': "Phantauth",
    #     'config': "https://phantauth.net",
    #     'scope': "openid profile email",
    #     'client_id': "latlux~mqs8zoig_5e",
    #     'client_secret': "82yHd4XA",
    # },
}

This must be initially configured in the Specify 7 server settings by an IT administrator.

Collection Admins

When using the Security and Accounts panel in Specify 7, you can now create an invite link when creating a new user.

image

This will allow you to send the invite link to the user to associate their OpenID SSO account to the user.

image
image744×463 45.3 KB

When this link is opened, the user will see a dialog like this one:

image
image1036×1078 40.1 KB

Now they will be able to associate their SSO account with Specify. In this example, HappyTestUser can link their Phantauth account with the Specify user created in the previous step.

When SSO is configured, the log in page will appear as below:

image
image1088×946 75.6 KB

Now users can use the SSO log in option or the standard username and password Specify system.

If your collection is a member of the
Specify Cloud service, we can assist in setting up SSO authentication for you!