Who can use this feature?
👤 Only Organizations Owners can access this feature.
🚩 Only available on the Enterprise Plan.
Overview
Within organization Settings > Single Sign-On, connect your identity provider for:
Single Sign-On to the ArborXR web portal
In-VR Single Sign-On
Google Workspace, Azure Active Directory, Salesforce, and any SSO providers that support the OAuth 2.0 or SAML 2.0 standards are supported.
OAuth 2.0 Configuration Requirements
Google Workspace
In ArborXR:
Navigate to Settings in the side navigation menu.
Select the Single Sign-On tab.
Select Google Workspace.
Copy the Redirect URI. You will need this in a few steps.
In Google Admin:
Navigate to the Google Cloud Console OAuth consent screen.
Select Internal.
Click Create.
Navigate to Google Cloud Console Credentials.
Create an OAuth Client ID.
Select Web Application for App Type.
Paste the Redirect URI from ArborXR.
Copy the Client ID and Client Secret values from Google Cloud Console. You will need these values in the next step.
Navigate back to ArborXR:
Copy the Client ID from Google Cloud Console and paste this into the Client ID field in ArborXR.
Copy the Client Secret from Google Cloud Console and paste this into the Client Secret field in ArborXR.
Enter your company's domain in the Domain field in ArborXR (e.g. arborxr.com).
Click Apply Changes in ArborXR.
Check the Require SSO for ArborXR Portal checkbox then click Apply Changes.
⚠️ Once an SSO provider is connected and the Require SSO for ArborXR Portal checkbox is checked, all web portal users will need to log in using single sign-on unless they are exempted. For information about exempting select users from SSO, see this article.
Azure Active Directory
In ArborXR:
Navigate to Settings in the side navigation menu.
Select the Single Sign-On tab.
Select Azure Active Directory.
Copy the Redirect URI. You will need this in a few steps.
In Microsoft's Azure Portal:
Navigate to App Registrations.
Select New Registration.
Enter a name.
Under Supported account types, select Accounts in this organizational directory only (Single tenant).
Under Redirect URI (optional), select Web and paste the Redirect URI from ArborXR.
Click Register.
Copy the Application (client) ID and Directory (tenant) ID and have these values accessible. You will need these values in a few steps.
Navigate to Certificates & secrets in the side navigation menu.
Select New client secret.
Enter a description and specify the expiration date.
Click Add.
Copy the New Client Secret and have this value accessible alongside the Application (client) ID and Directory (tenant) ID values.
Navigate back to ArborXR:
Copy the Application (client) ID from the app registered in Azure AD and paste this into the Client ID field in ArborXR.
Copy the New Client Secret value from the client secret in Azure AD and paste this into the Client Secret field in ArborXR.
Copy the Directory (tenant) ID value from the app registered in Azure AD and paste this into the Directory (tenant) ID field in ArborXR.
Click Apply Changes in ArborXR.
Check the Require SSO for ArborXR Portal checkbox then click Apply Changes.
⚠️ Once an SSO provider is connected and the Require SSO for ArborXR Portal checkbox is checked, all web portal users will need to log in using single sign-on unless they are exempted. For information about exempting select users from SSO, see this article.
Salesforce
In ArborXR:
Navigate to Settings in the side navigation menu.
Select the Single Sign-On tab.
Select Salesforce.
Copy the Redirect URI. You will need this in a few steps.
Login to your organization's Salesforce. Take note of the URL used to sign into Salesforce as you will need this URL later.
In the side navigation menu, under Platform Tools, expand Apps and select App Manager.
Select New Connected App.
Specify the Connected App Name and Contact Email.
Under API (Enable OAuth Settings), check Enable OAuth Settings.
Paste the Redirect URI from ArborXR into the Call Back URL field in Salesforce.
Under Available OAuth Scopes, select Access unique user identifiers (openid) and click Add.
Click Save.
Click Continue.
Click Manage Consumer Details.
Copy the Consumer Key and Consumer Secret from Salesforce. You will need these values in the next step.
Navigate back to ArborXR:
Copy the Consumer Key from Salesforce and paste this into the Client ID field in ArborXR.
Copy the Consumer Secret from Salesforce and paste this into the Client Secret field in ArborXR.
Copy the URL that you use to login to Salesforce and paste it into the Domain field in ArborXR.
Click Apply Changes in ArborXR.
Check the Require SSO for ArborXR Portal checkbox then click Apply Changes.
⚠️ Once an SSO provider is connected and the Require SSO for ArborXR Portal checkbox is checked, all web portal users will need to log in using single sign-on unless they are exempted. For information about exempting select users from SSO, see this article.
SAML 2.0 Configuration Requirements
Google Workspace
In Google Admin panel:
Navigate to Apps -> Web and mobile apps.
Click Add App -> Add Custom SAML app.
Set the name value to ArborXR.
Click Download Metadata.
In ArborXR:
Navigate to Settings in the side navigation menu.
Select the Single Sign-On tab.
Choose Metadata XML and the file downloaded in step 5.
Scroll down and click Apply Changes.
You’ll now see a Redirect URI and an SP Entity ID URL at the top of your SAML configuration in ArborXR. Copy these values.
Navigate back to Google Admin:
Paste the Redirect URI value from ArborXR into the ACS URL field in Google Admin.
Paste the SP Identity ID value from ArborXR into the Entity ID field field in Google Admin.
Set the Name ID format to EMAIL.
Set the Name ID to Basic Information > Primary Email.
Click Continue.
Set User access to ON for everyone.
Navigate back to ArborXR and check the Require SSO for ArborXR Portal checkbox then click Apply Changes.
⚠️ Once an SSO provider is connected and the Require SSO for ArborXR Portal checkbox is checked, all web portal users will need to log in using single sign-on unless they are exempted. For information about exempting select users from SSO, see this article.
Azure Active Directory
Create an enterprise application.
Navigate to the Single sign-on tab for your new application, and select SAML.
Under the SAML Certificates section, copy the App Federation Metadata Url.
In ArborXR:
Navigate to Settings in the side navigation menu.
Select the Single Sign-On tab.
Paste the Metadata URL you copied into the Hosted IdP Metadata URL input field.
If your Azure AD SAML metadata contains more than one descriptor, you’ll need to tell ArborXR which one to use as the EntityID. To do this, enter it in the IdP Entity ID input field.
You may also optionally configure your IdP’s Assertion Consumer Service (ACS) URL, IdP Assertion Signing Certificate, and Default Binding Method if your IdP requires them. In most simple instances, these can be left blank.
Click Apply Changes.
You’ll now see a Redirect URI and an SP Entity ID URL at the top of your SAML configuration in ArborXR. Copy these values.
Navigate back to the Azure Portal:
Paste the Redirect URI value from ArborXR into the Reply URL (Assertion Consumer Service URL) field in Azure.
Paste the SP Identity ID value from ArborXR into the Identifier (Entity ID) field field in Azure.
Click Save.
Navigate back to ArborXR and check the Require SSO for ArborXR Portal checkbox then click Apply Changes.
⚠️ Once an SSO provider is connected and the Require SSO for ArborXR Portal checkbox is checked, all web portal users will need to log in using single sign-on unless they are exempted. For information about exempting select users from SSO, see this article.
In-VR Single Sign-On
Click In-VR Single Sign-On for steps to configure in-VR SSO.