Spotlight can use SSO from your Azure Active Directory, you just need to walk through a simple process to set this up.

Before you can start the setup, you’ll need your SSO configuration details from a member of the Spotlight team. These will include two urls:

  1. The callback URL - used for setting Stax Spotlight up in Azure AD and telling it where to send the response. As an example here, we’ll use https://app.stax.io/auth/azure_ad/my-token-here/callback
  2. The trigger / initiation URL - Use an example here, we’ll use https://app.stax.io/auth/azure_ad/my-token-here

Next, you’ll need access to the Azure console as someone with permissions to configure everything. Whilst logged into the console, you must then:

  1. From the header, search for “App registrations”
  2. Click “New registration”
  3. For name, enter “Stax Spotlight”
  4. For “Supported account types”, Ensure “Accounts in this organizational directory only” is selected
  5. Choose “Client Application” for the Platform configuration.
  6. Press “Register” to create the application.
  7. Press “Add a platform” to add a new platform
  8. Choose “Web” for the type of the application.
  9. In the redirect field above, provide your callback URL, e.g. https://app.stax.io/auth/azure_ad/my-token-here/callback
  10. Press “Configure”
  11. On the left, press “Certificates & Secrets”
  12. Hit “New client secret”.
  13. Give the secret a description of “Stax Spotlight SSO”, and choose “Never” for expires.
  14. Capture the value of the newly-added Client Secret, to send to use.
  15. Go back to overview, and capture the value of “Application (client) ID”, to send to us.

Now, once you have those values, please send us the “Application (client) ID” value and the Client Secret value so that we can then configure it from our side. We will also need your Azure AD "Tenant ID", which is the final bit of information. Once set up, we’ll work with you to test that your SSO is correct and then enable it.

From then on, you can either directly hit your Trigger URL to login, or alternatively, if provide us an email domain, will automatically trigger all logins for that domain to go via your connection.

Did this answer your question?