All Collections
Admin, Account, Users
SSO
Configure Single Sign-On for Portal and In-VR SSO
Configure Single Sign-On for Portal and In-VR SSO

Steps to connect a supported SSO service provider to ArborXR and enforce web portal SSO and/or in-VR SSO on devices or groups.

Josh Franzen avatar
Written by Josh Franzen
Updated over a week ago

Who can use this feature?

👤 Only Organizations Owners can access this feature.
🚩 Only available on the Enterprise Plan.

Overview

Within organization Settings > Single Sign-On, connect your SSO service provider for:

  • Single Sign-On to the ArborXR web portal

  • In-VR Single Sign-On

Google Workspace, Azure Active Directory, Salesforce, and any SSO providers that support the OAuth 2.0 or SAML 2.0 standards are supported.


OAth 2.0 Configuration Requirements

Google Workspace

  1. In ArborXR:

    1. Navigate to Settings in the side navigation menu.

    2. Select the Single Sign-On tab.

    3. Select Google Workspace.

    4. Copy the Redirect URI. You will need this in a few steps.

  2. In Google Admin:

    1. Select Internal.

    2. Click Create.

    3. Create an OAuth Client ID.

    4. Select Web Application for App Type.

    5. Paste the Redirect URI from ArborXR.

    6. Copy the Client ID and Client Secret values from Google Cloud Console. You will need these values in the next step.

  3. Navigate back to ArborXR:

    1. Copy the Client ID from Google Cloud Console and paste this into the Client ID field in ArborXR.

    2. Copy the Client Secret from Google Cloud Console and paste this into the Client Secret field in ArborXR.

    3. Enter your company's domain in the Domain field in ArborXR (e.g. arborxr.com).

    4. Click Apply Changes in ArborXR.

    5. Check the Require SSO for ArborXR Portal checkbox then click Apply Changes.

⚠️ Once an SSO provider is connected and the Require SSO for ArborXR Portal checkbox is checked, all web portal users will need to log in using single sign-on unless they are exempted. For information about exempting select users from SSO, see this article.

Azure Active Directory

  1. In ArborXR:

    1. Navigate to Settings in the side navigation menu.

    2. Select the Single Sign-On tab.

    3. Select Azure Active Directory.

    4. Copy the Redirect URI. You will need this in a few steps.

  2. In Microsoft's Azure Portal:

    1. Navigate to App Registrations.

    2. Select New Registration.

    3. Enter a name.

    4. Under Supported account types, select Accounts in this organizational directory only (Single tenant).

    5. Under Redirect URI (optional), select Web and paste the Redirect URI from ArborXR.

    6. Click Register.

    7. Copy the Application (client) ID and Directory (tenant) ID and have these values accessible. You will need these values in a few steps.

    8. Navigate to Certificates & secrets in the side navigation menu.

    9. Select New client secret.

    10. Enter a description and specify the expiration date.

    11. Click Add.

    12. Copy the New Client Secret and have this value accessible alongside the Application (client) ID and Directory (tenant) ID values.

  3. Navigate back to ArborXR:

    1. Copy the Application (client) ID from the app registered in Azure AD and paste this into the Client ID field in ArborXR.

    2. Copy the New Client Secret value from the client secret in Azure AD and paste this into the Client Secret field in ArborXR.

    3. Copy the Directory (tenant) ID value from the app registered in Azure AD and paste this into the Directory (tenant) ID field in ArborXR.

    4. Click Apply Changes in ArborXR.

    5. Check the Require SSO for ArborXR Portal checkbox then click Apply Changes.

⚠️ Once an SSO provider is connected and the Require SSO for ArborXR Portal checkbox is checked, all web portal users will need to log in using single sign-on unless they are exempted. For information about exempting select users from SSO, see this article.

Salesforce

  1. In ArborXR:

    1. Navigate to Settings in the side navigation menu.

    2. Select the Single Sign-On tab.

    3. Select Salesforce.

    4. Copy the Redirect URI. You will need this in a few steps.

  2. Login to your organization's Salesforce. Take note of the URL used to sign into Salesforce as you will need this URL later.

    1. In the side navigation menu, under Platform Tools, expand Apps and select App Manager.

    2. Select New Connected App.

    3. Specify the Connected App Name and Contact Email.

    4. Under API (Enable OAuth Settings), check Enable OAuth Settings.

    5. Paste the Redirect URI from ArborXR into the Call Back URL field in Salesforce.

    6. Under Available OAuth Scopes, select Access unique user identifiers (openid) and click Add.

    7. Click Save.

    8. Click Continue.

    9. Click Manage Consumer Details.

    10. Copy the Consumer Key and Consumer Secret from Salesforce. You will need these values in the next step.

  3. Navigate back to ArborXR:

    1. Copy the Consumer Key from Salesforce and paste this into the Client ID field in ArborXR.

    2. Copy the Consumer Secret from Salesforce and paste this into the Client Secret field in ArborXR.

    3. Copy the URL that you use to login to Salesforce and paste it into the Domain field in ArborXR.

    4. Click Apply Changes in ArborXR.

    5. Check the Require SSO for ArborXR Portal checkbox then click Apply Changes.

⚠️ Once an SSO provider is connected and the Require SSO for ArborXR Portal checkbox is checked, all web portal users will need to log in using single sign-on unless they are exempted. For information about exempting select users from SSO, see this article.


SAML 2.0 Configuration Requirements

Google Workspace

  1. In Google Admin panel:

    1. Navigate to Apps -> Web and mobile apps.

    2. Click Add App -> Add Custom SAML app.

    3. Set the name value to ArborXR.

    4. Click Download Metadata.

  2. In ArborXR:

    1. Navigate to Settings in the side navigation menu.

    2. Select the Single Sign-On tab.

    3. Choose Metadata XML and the file downloaded in step 5.

    4. Scroll down and click Apply Changes.

    5. You’ll now see a Redirect URI and an SP Entity ID URL at the top of your SAML configuration in ArborXR. Copy these values.

  3. Navigate back to Google Admin:

    1. Paste the Redirect URI value from ArborXR into the ACS URL field in Google Admin.

    2. Paste the SP Identity ID value from ArborXR into the Entity ID field field in Google Admin.

    3. Set the Name ID format to EMAIL.

    4. Set the Name ID to Basic Information > Primary Email.

    5. Click Continue.

  4. Navigate back to ArborXR and check the Require SSO for ArborXR Portal checkbox then click Apply Changes.

⚠️ Once an SSO provider is connected and the Require SSO for ArborXR Portal checkbox is checked, all web portal users will need to log in using single sign-on unless they are exempted. For information about exempting select users from SSO, see this article.

Azure Active Directory

    1. Create an enterprise application.

    2. Navigate to the Single sign-on tab for your new application, and select SAML.

    3. Under the SAML Certificates section, copy the App Federation Metadata Url.

  1. In ArborXR:

    1. Navigate to Settings in the side navigation menu.

    2. Select the Single Sign-On tab.

    3. Paste the Metadata URL you copied into the Hosted IdP Metadata URL input field.

    4. If your Azure AD SAML metadata contains more than one descriptor, you’ll need to tell ArborXR which one to use as the EntityID. To do this, enter it in the IdP Entity ID input field.

    5. You may also optionally configure your IdP’s Assertion Consumer Service (ACS) URL, IdP Assertion Signing Certificate, and Default Binding Method if your IdP requires them. In most simple instances, these can be left blank.

    6. Click Apply Changes.

    7. You’ll now see a Redirect URI and an SP Entity ID URL at the top of your SAML configuration in ArborXR. Copy these values.

  2. Navigate back to the Azure Portal:

    1. Paste the Redirect URI value from ArborXR into the Reply URL (Assertion Consumer Service URL) field in Azure.

    2. Paste the SP Identity ID value from ArborXR into the Identifier (Entity ID) field field in Azure.

    3. Click Save.

  3. Navigate back to ArborXR and check the Require SSO for ArborXR Portal checkbox then click Apply Changes.

⚠️ Once an SSO provider is connected and the Require SSO for ArborXR Portal checkbox is checked, all web portal users will need to log in using single sign-on unless they are exempted. For information about exempting select users from SSO, see this article.


In-VR Single Sign-On

Enforce in-VR SSO

  1. Navigate to a device or a group on which you would like to enforce SSO.

  2. Select the Settings tab.

  3. Select Security from the sub navigation menu.

  4. Check the Enable Authentication In-Headset box.

  5. Optionally check the Enable Guest Access box.


    ⚠️ Enabling guest access is critical if devices will be used offline. If SSO is enforced but the device is not connected to WiFi, users will not have a way to get past the SSO login screen unless guest access is enabled.


  6. Click Save.

Log Out

Users can log out by:

  1. Selecting the logout icon which can be found in the left hand corner of the dock (ArborXR Home) or in the quick access menu (ArborXR Kiosk Mode).

  2. Powering off the device.

  3. Setting aside the device 1 hour or longer (idle).

Did this answer your question?