Single Sign-On (SSO) allows for the people from your company to log into WinCan Web using your company’s own log-in scheme. This manual will explain how to use and configure SSO for your WinCan Web company.
🔐 1. Logging in
To log in with your company’s SSO provider, ask your company’s administrator for any of the following:
Automatic SSO login link
With an automatic SSO login link you can quickly log in to WinCan Web using your SSO provider’s credentials without seeing the WinCan login page.Unique SSO name
Using your company’s unique SSO name you can log in using the WinCan login page via the “Sign in with SSO” button:
Here you’ll be able to use the unique SSO name provided by your company’s admin to log in with your SSO provider’s credentials:
After successfully logging in with your SSO provider we will store this information in your browser session, so you don’t need to remember the unique SSO name or the automatic SSO login link.
You will be redirected to your SSO provider’s login page allowing you to log in to WinCan Web using your company’s account.
⚙️ 2. Configuring SSO
Configuring the SSO provider in WinCan Web can only be done by user with permission the company admin with a valid license (excluding sub accounts)
2.1. Finding SSO configuration form
To configure the SSO provider for your company, follow highlighted steps in WinCan Web:
Once enabled you can begin configuring your SSO provider.
2.2 Configuring SSO provider
To configure your SSO provider in WinCan Web follow the provided setup form. For streamlining the process we have prepared templates for some popular SSO providers, including Microsoft Azure , Google Cloud, and Okta.
Your first step is to fill the unique SSO name. This name will be used by your company’s users to log in to WinCan Web via your SSO provider. It should be short and simple and should uniquely identify your company.
For your unique SSO name you can only use letters, digits, and hyphen
Once you provide a correct name you can continue to this guide section that fits your SSO provider.
2.2.1 Microsoft Azure
If you use Microsoft Azure as your SSO provider, first select it from the drop-down menu and click next:
Then log in to your company’s Microsoft Azure Portal and find Microsoft Entra ID:
Next add a new app registration:
Fill a name and in the Redirect URI section select Web from the drop-down list and paste the Sign-In Redirect from the WinCan Web SSO configuration form:
Application name in Microsoft Entra ID doesn’t have to match the unique SSO name set in the WinCan Web SSO configuration form. We recommend using WinCan Web as the name here.
Even though the Redirect URI section is shown as optional, it is required to fill this data so WinCan Web can communicate properly with Microsoft Entra ID.
After registering the app in Microsoft Entra ID, fill the provided Tenant ID and Client ID in the next step of the SSO configuration form, then click the Add a certificate or secret button:
For security reasons do not share your Client ID with any third party.
To add a new secret click the New client secret button and click Add in the popup window. You can optionally fill description and expiration time:
Once the client secret expires it will be necessary to create a new one and set it in the WinCan Web SSO configuration form, otherwise SSO login will stop working.
For security reasons do not share your Client Secret with any third party.
Once added, copy the newly created secret to the SSO configuration form and save:
Congratulations! You can now share the unique SSO name and/or the automatic SSO login link with your users.
2.2.2 Google Cloud
If you use Google Cloud as your SSO provider, first select it from the drop-down menu and click next:
Then log in to your company’s Google Cloud Console and find APIs & Services:
In the APIs & Services menu create new OAuth client ID credentials:
From the Application Type drop-down menu select Web application, fill in the name, add and fill URIs as presented from the WinCan Web SSO configuration form:
Application name in Google Cloud credentials doesn’t have to match the unique SSO name set in the WinCan Web SSO configuration form. We recommend using WinCan Web as the name here.
After creating the credentials you will be presented with the Client ID and Client Secret values, fill them in the WinCan Web SSO configuration form, but don’t save yet - you will have to use those values in the next step.
Keep the Client ID and Client Secret values temporarily stored, we will have to configure another Google Cloud service with them.
For security reasons do not share your Client ID or Client Secret with any third party.
After copying the Client ID and Client Secret find Identity Platform in the Google Cloud Console:
In the Identity Platform service add a new provider:
Next in the Select a provider drop-down menu select Google, fill previously copied Client ID and Client Secret and then click the Add Domain button:
Do not select OpenID Connect as the provider, it has to be set as Google.
In the Add authorized domain popup window fill the domain with Trusted Origin provided in the 3rd step of the WinCan Web SSO configuration form:
You can safely go back to the 3rd step of the WinCan Web SSO configuration form, data already entered will NOT be lost.
Congratulations! You can now share the unique SSO name and/or the automatic SSO login link with your users.
2.2.3 Okta
If you use Okta as your SSO provider, first select it from the drop-down menu and click next:
Then log in to your company’s Okta Admin Console and create a new App Integration:
In the popup menu select OIDC - OpenID Connect sign-in method and Web Application application type:
Next choose a name and fill the Sign-in redirect URIs and Base URIs fields with Sign-In Redirect and Trusted Origin values from the WinCan Web SSO configuration form as shown:
Application name in and Okta application doesn’t have to match the unique SSO name set in the WinCan Web SSO configuration form. We recommend using WinCan Web as the name here.
Even though Okta marks the Base URIs field as optional, we recommend filling it as shown for security reasons.
After saving you can fill the Client ID and Client Secret in the WinCan Web SSO configuration form:
For security reasons do not share your Client ID or Client Secret with any third party.
To find your Okta domain go to the Brands section in the Okta Admin Console:
If no custom domains were set up, use the Okta subdomain in the WinCan Web SSO configuration form. Otherwise if a custom domain was set up, we recommend using that domain instead.
Congratulations! You can now share the unique SSO name and/or the automatic SSO login link with your users.
2.2.4 Other / Custom
If you have an SSO provider that is not listed or if you host your own SSO solution, you’ll be required to provide a Client ID and a Client Secret provided by your provider or solution, as well as the Domain where the provider or solution is hosted.
Your SSO provider or SSO solution need to support the OpenID Connect (OIDC) standard.
Please check your SSO provider’s or SSO solution’s documentation for specifics regarding integrating a Web Application via the OIDC standard.
To start, please select the Other / Custom option from the drop-down menu in the WinCan Web SSO configuration form
Then open your SSO provider or SSO solution configuration and provide some information about WinCan Web:
Trusted Origin is the URI for which the authentication requests will be directed from.
Sign-In Redirect is the URI which will be used by the SSO provider or SSO solution to return to WinCan Web after successful log in.
If you’re asked for the type of application, choose Web Application.
If you’re asked for an application name it doesn’t have to match the unique SSO name set in the WinCan Web SSO configuration form. We recommend using WinCan Web as the name.
After setting up WinCan Web in your SSO provider or SSO solution, please fill the required information:
Client ID and Client Secret are provided by your SSO provider or SSO solution in order to identify and authorize WinCan Web.
Domain is the base URI used by your SSO provider or SSO solution.
For the Domain to be correct, it has to serve a Discovery Document as specified by the OIDC standard. That is, if your SSO provider’s or SSO solution’s domain is
https://mycompany.com/login
then there should exist a correct document hosted in
https://mycompany.com/login/.well-known/openid-configuration
This document is used by WinCan Web to properly identify endpoints required to authenticate the users.
The SSO provider’s or SSO solution’s Domain has to be set up with the HTTPS protocol.
For security reasons do not share your Client ID or Client Secret with any third party.
If everything went well you can save the SSO configuration.
Congratulations! You can now share the unique SSO name and/or the automatic SSO login link with your users.