Single Sign-On (SSO): Setup Guide

SSO with Showell

SSO (Single Sign-On), is a convenient authentication service that allows users to access multiple applications with just one set of login credentials. In other words, these users don't need a separate username and password for Showell.

Setting up SSO requires a certain level of expertise in IT, so we recommend that you only proceed with this setup if your company has dedicated IT personnel who can handle the process effectively.

Before setting up SSO

It’s important to understand how setting up SSO will impact user access and workspace behavior:

• User management moves to your SSO provider
  Users must exist in your SSO setup (and be assigned to the correct group, if used) before they can access Showell. See: After SSO is enabled 
• Invitations behave differently with SSO
  Users must first be correctly configured on the SSO side before sending invites, otherwise access may not work as expected. See: Enable SSO invitations

• SSO can influence how users are routed during login
  When SSO is configured, users will automatically be redirected via SSO when logging in.

  • This works seamlessly if you have a single workspace, or all your workspaces use SSO

  • If only some workspaces use SSO, additional configuration (such as SSO groups) may be needed to ensure users can access the correct workspace without being redirected elsewhere.

👉 In short: Plan your SSO scope (who + which workspaces) carefully before enabling it, especially in multi-workspace environments.

SSO Setup

In a nutshell:

1. Configure Showell on your SSO provider’s side
2. Share the required values with us
3. We complete the setup and enable SSO

In detail:

1. If you are completely new to SSO, choose a platform that supports the 'OpenID Connect' protocol. Once you have selected and configured your preferred SSO platform, it should provide you with instructions on how to implement the 'OpenID Connect' protocol.
   Some examples of supported SSO platforms are:
   • Entra ID - formerly Azure (Microsoft)
   • AWS Single Sign-On (Amazon)
   • Authpoint (WatchGuard)
   • Duo (Cisco)
   • Okta
   • OneLogin (One Identity)
   • Enterprise SSO (Oracle)
   • PingIdentify
2. Follow the instructions provided in the Info Package:

   • Once SSO implementation has been agreed upon with Showell, you will receive an information package containing setup instructions and guidance. This includes detailed steps for configuring SSO with Microsoft Entra ID (formerly Azure AD). Most SSO platforms that support the OpenID Connect protocol follow a similar setup process. The package also includes the Redirect URLs required to complete the configuration.

   • If you have not yet received this information package, please reach out to your Showell contact person or Showell Support.
3. Once you are all set up on the SSO platform's side, you must provide your Showell contact person, in a secure way (for example via Microsoft SharePoint/OneDrive with restricted access, Azure Key Vault, or Gmail confidential mode), with the following information to establish the connection:
   • client ID
   • client secret value, and its expire date (if available)
   • discovery document URI
   • Group IDs: If you want to restrict access to your workspace to specific users, you can define Group IDs from your SSO provider. While optional, this is highly recommended.
     • Without Group IDs, any user with your company domain (e.g. @domain.com) could potentially access Showell via SSO.
     • By using groups, you can control access more precisely and ensure that only the right users are allowed in.
     • You can also define multiple groups. For example, if you have multiple workspaces in Showell:
       • A user in one group will have access to one workspace
       • A user in multiple groups will have access to multiple workspaces
   • (Optional) Test credentials: if you are using a testing environment and want to verify that everything is functioning correctly before making it available to a larger audience
4. Showell will inform you once the connection has been established.

After SSO is enabled (new and existing users)

Once SSO is enabled, user access is managed on your SSO provider’s side. Users must first be added there (For example: added to your SSO provider, or assigned to the appropriate group on the provider side if groups are used) before they can access Showell.

New users

• Provide the users with an SSO invite, OR

• New users can simply open the Showell app and enter their email address. They will be redirected to the SSO login, and their user account will be created automatically - provided they are included in your SSO configuration.

Users with an existing Showell user account (before SSO setup)

Existing users need to connect their account to SSO with a one-time domain login:

1. Go to the Showell login page (app.showell.com)
   1. If you are already signed in to Showell, signing out will redirect you to this page.
2. Click “Use custom domain” below the email field
3. Enter your company domain (this value will be provided by Showell after SSO configuration)
4. Complete the SSO login

Users already connected to SSO

• Users who have already connected their account to SSO can simply log in using their email address.

Renewing your Secret Value and Expire Date

Once everything is configured, Showell automatically sets your secret value and its expiration date. As this value expires (as is common with SSO providers like Entra ID), it must be renewed before the expiration date. This can be done directly within the Showell App for Web.

To ensure this is not missed, admins will receive email notifications ahead of time, reminding them to renew the value in time.

1. Navigate to the Showell App for Web
2. From the side menu, click Admin > Login & SSO
3. Click 'Edit' to adjust the secret and/or Expire date

Enable SSO invitations

Once SSO is set up in your organization, you can effortlessly invite users to join your Showell Workspace. This efficient process ensures that users can easily accept the invitation and be added to the relevant groups right from the beginning.

Enable SSO invitation in Showell:

1. Open the Showell App for Web
2. From the Side menu, click Admin > General Preferences
3. Under 'Experimental', enable SSO invitations.

Sending out the invitation:

1. First make sure you have added the users on the SSO side
2. Send out an invitation to those users
   • You'll have to add your SSO Domain name when creating the invite. (this value will be provided by Showell after SSO configuration)
3. The users will receive an email with link. Opening the link allows them to sign in with their email and access the Workspace. This comes with the added benefit that you, the Admin, can see who has accepted the invite.

How to set up Google SSO with Showell

1. Navigate to Google Console Cloud
2. Start by creating a new project for the SSO. You can find this option in the top right corner
   • With a new project, you will have to provide a name and location. The location depends on your environment
3. Select the created project and go to APIs & Services
4. Go to the OAuth consent screen:
   • User Type: Internal
   • App information: Enter the necessary details based on your company's information. These details will be visible to end users who will be using the SSO login. It should convey to the end user that the application is trustworthy and reliable.
   • Authorized domains: add app.showell.com, or your custom domain here.
   • Scopes: add email, profile, and openid scopes
   • Test users: If you want to test the setup with a limited number of users, you have the option to set test users before fully implementing the Single Sign-On (SSO) connection.
5. Configure OAuth credentials: 
   • Navigate back to APIs & Services (as seen in point 1 to 3)
   • Choose Credentials > OAuth 2.0 Client IDs. This is where you define the redirect URI addresses.
   • Create Credentials > OAuth client ID
   • Application type: Web application
   • Name: Showell SSO
6. If no test users were added, go to the OAuth consent screen and publish the app. Otherwise, this can be done after the login has been tested.
7. Once you are all set up on the Google SSO platform's side, you must provide your Showell contact person, in a secure way (for example with Keybase or Gmail confidential mode), with the following information to establish the connection:
   • client_id
   • client_secret
8. Showell will inform you once the connection has been established.