What is SSO?

Single Sign-On capability provides the end users an easier way to login compared to the email/password login method. Users can log in to the Sprinklr platform via their company’s enterprise login only, with just a click. 

For example, for a user, who is logged into their brand’s employee portal, once the SSO setup is done for the brand then this user will be able to directly log in to Sprinklr. Login will happen via the brand's identity provider directly and no separate username and password needs to be created for logging in to Sprinklr 

Benefits of Using SSO login: 

• Adds convenience for the customer: Fewer logins that they need to create and remember 

• Increases security:  

  • Any individual leaving the company will lose Sprinklr access as well.  

  • This would result in any security measures built into the customer’s login such as two-factor authentication, being on an internal network, etc., applied to Sprinklr login as well 

Here is a sample screenshot of what the client will see when SSO is enabled, which will vary for each implementation:  

How does SSO work? 

There are two parties involved in a SSO login: 

• IDP: Identity Provider where the user’s identity is stored. Eg: Microsoft Azure 
  An IDP is a service that maintains and manages digital identities to verify user credentials throughout applications, networks, and web services. Its primary role is to safeguard the integrity of user credentials and federate user identity where SSO logins are desired. 

• SP/Client: Service Provider (The application users want to access). Eg: Sprinklr platform 
  Service providers are a resource that users authenticate into using SSO, usually a private website or application. They receive, accept, or deny assertions (in case of SAML 2.0) & ID tokens (in case of OIDC) from IDPs for each client profile prior to granting users access. 

The IDP has the information of the various SPs/Clients and vice versa. The architecture is a handshake protocol. Sprinklr validates the information and only then allows the user to be logged in. 

What information is required to for the Customer to register Sprinklr in their IDP for OpenID Connect SSO? 

• Client (Sprinklr in this case) details including: 

  • Redirect URL/ Reply URL/ ACS URL : https://{prefix-of-domain}.sprinklr.com/ui/openid/login?provider=OPEN_ID_CONNECT 

    • The naming convention is https://x.sprinklr.com /ui/openid/login?provider=OPEN_ID_CONNECT for the production and https://staging-x.sprinklr.com /ui/openid/login?provider=OPEN_ID_CONNECT for the staging, where x is the name of the Client. The staging URL should be the custom domain that we can fetch from the backend for any partner. 

How to register Sprinklr as a Client on the IDP for OpenID Connect SSO? 

• Navigate to the section where you can add new applications or clients on the IDP 

• Enter Basic Client Details 

  • Client Name: Enter a descriptive name for the client application, such as "Sprinklr SSO." 

  • Client ID: The IdP may automatically generate a unique identifier for the client. Ensure to note this down as it will be needed later. 

  • Redirect URL: Specify the URL where the IdP should send the authorization code or tokens after authentication. This is provided by Sprinklr. 

• Configure Authentication and Authorization Settings 

  • Response Type: Typically, this will be set to code for authorization code flow. 

  • Grant Type: Select authorization_code. If applicable, you may also configure other grant types like refresh_token. 

  • Scopes: Define the OpenID Connect scopes that the client application will request. Common scopes include openid, profile, and email. 

• Configure Security Settings 

  • Client Secret: Generate a client secret. This secret will be used by Sprinklr to authenticate itself to the IdP when exchanging the authorization code for tokens. 

  • Token Endpoint Authentication Method: Choose the method Sprinklr will use to authenticate at the token endpoint (e.g., client_secret_basic). 

• Define Additional Endpoints (if applicable) 

  • Post-Logout Redirect URI: Specify a URL where users should be redirected after they log out. 

  • JWKs URI: If the IdP supports JSON Web Key Sets, specify the URL where Sprinklr can retrieve the IdP’s public keys for validating tokens. 

• Save the Configuration 

• After entering all the required details, save the configuration. The IdP will now recognize Sprinklr as an authorized client application. 

• Provide Configuration Details to Sprinklr 

  • Client ID/Client Key: The unique identifier for Sprinklr. 

  • Client Secret: The secret key generated during client registration. 

  • Authorization Endpoint: The URL to initiate the authorization request. 

  • Token Endpoint: The URL to exchange the authorization code for tokens. 

  • Userinfo Endpoint: The URL to obtain user profile information. 

  • Scopes: The scopes that Sprinklr is authorized to request.

How to configure an OpenID SSO on Sprinklr?

• Ensure SSO configurations are enabled on Sprinklr before proceeding with below steps, raise a support ticket for the same if they are not enabled 

• Navigate to All Settings -> Manage Customer -> Single Sign-Ons -> Click Add Single Sign On -> Click ’Open ID’ under Select the Type of Single Sign On  

• Fill all the mandatory fields with information received from the IDP. You can also import the metadata (Discovery Document/JSON) file provided by the IDP to auto-fill the required fields.

  ​

  

• In the Auto Provisioning section, click Start Test to simulate all steps of the SSO flow before saving the configuration.

  ​

  ​

  ​

• Click Save in the bottom right corner to save your SSO configuration.

  ​

The following table showcases the difference between the steps involved in setting up a SAML 2.0 SSO and an OpenID Connect SSO-

Although the login flow of OpenID Connect SSO is like that of SAML SSO, this table showcases the differences between both: