Authentication Setup

This guide covers authentication configuration in SPSA.

Authentication Methods

SPSA supports multiple authentication methods:

Method Edition Description
Local Database All Built-in user database
TOTP MFA All Time-based one-time passwords
Cisco DUO All DUO Authentication integration
Active Directory SSO All Windows AD integration
Entra ID / SAML All Microsoft Entra ID (Azure AD) SSO
OpenID Connect All OAuth 2.0-based authentication

Local Authentication

Overview

Local authentication uses SPSA's built-in user database. This is the default and works with all editions.

Create Local Users

  1. Go to Settings > Users
  2. Click New User
  3. Set username and password
  4. Configure MFA enrollment
  5. Save

Multi-Factor Authentication (MFA)

TOTP Authentication

SPSA requires TOTP-based MFA for all portal users. Compatible authenticator apps:

  • Google Authenticator
  • Microsoft Authenticator
  • Authy
  • Any TOTP-compatible app

MFA Required

MFA cannot be disabled in SPSA. This is by design for security.

Cisco DUO Authentication

SPSA supports Cisco DUO for enterprise MFA:

  1. Configure DUO application in DUO Admin Panel
  2. Configure SPSA with DUO integration keys
  3. Users authenticate via DUO push, SMS, or hardware token

Contact Skillplan for DUO configuration assistance.

Active Directory Integration

SPSA integrates with Active Directory for authentication and user management.

Requirements

  • Network connectivity from SPSA to Domain Controller
  • Service account with read access to AD
  • LDAP/LDAPS port accessibility (389/636)

Configuration Overview

AD integration is configured through the SPSA Portal. Contact Skillplan for detailed setup assistance.

Microsoft Entra ID Integration

SPSA supports Microsoft Entra ID (formerly Azure Active Directory) for Single Sign-On using:

  • SAML 2.0 - Established standard with broad support
  • OpenID Connect (OIDC) - Modern OAuth 2.0-based protocol

Architecture Overview

flowchart LR U[User Browser] -->|HTTPS| SPSA[SPSA Portal] SPSA -->|SAML/OIDC| ENTRA[Microsoft Entra ID] ENTRA -->|Token| SPSA SPSA -->|Access| T[Target Systems] style ENTRA fill:#0078d4,stroke:#005a9e,color:#fff

Protocol Comparison

Feature SAML 2.0 OpenID Connect
Standard XML-based JSON/JWT-based
Configuration More complex Simpler
Groups Support Via assertions Via JWT claims
Recommended For Legacy/compliance New deployments

Recommendation

OpenID Connect (OIDC) is recommended for new implementations due to simpler configuration and maintenance.

SAML 2.0 Configuration with Entra ID

Step 1: Create Enterprise Application in Entra ID

  1. Sign in to Azure Portal: https://portal.azure.com
  2. Navigate to: Microsoft Entra IDEnterprise applications
  3. Click New application
  4. Select Create your own application
  5. Enter a name (e.g., "SPSA Portal")
  6. Select Integrate any other application you don't find in the gallery (Non-gallery)
  7. Click Create

Step 2: Configure SAML Single Sign-On

  1. In the created Enterprise Application, navigate to Single sign-on
  2. Select SAML
  3. Click Edit on Basic SAML Configuration
  4. Configure the following values:
Parameter Value
Identifier (Entity ID) https://spsa.yourdomain.com
Reply URL (ACS URL) https://spsa.yourdomain.com/guacamole/
Sign on URL https://spsa.yourdomain.com/guacamole/

URL Format

URLs must match exactly, including trailing slashes. Mismatched URLs are a common cause of SAML errors.

Step 3: Download SAML Metadata

  1. Scroll to SAML Certificates
  2. Copy the App Federation Metadata URL
  3. Or download the Federation Metadata XML file

Save the metadata URL for SPSA configuration.

Step 4: Assign Users and Groups

  1. Navigate to Users and groups
  2. Click Add user/group
  3. Select the users and/or groups that should have access to SPSA
  4. Click Assign

Step 5: Configure SPSA for SAML

Contact Skillplan support to configure SPSA with your SAML settings. You will need:

  • App Federation Metadata URL (from Step 3)
  • Entity ID (from Step 2)
  • Callback URL (from Step 2)

Step 6: Create SPSA Users

  1. Log in to SPSA Portal with local admin account
  2. Go to SettingsUsers
  3. Create users with email addresses matching Entra ID
  4. Important: Do NOT set a password for SAML users
  5. Assign appropriate connection permissions

OpenID Connect (OIDC) Configuration with Entra ID

Step 1: Create App Registration in Entra ID

  1. Sign in to Azure Portal: https://portal.azure.com
  2. Navigate to: Microsoft Entra IDApp registrations
  3. Click New registration
  4. Enter a name (e.g., "SPSA OIDC")
  5. Select Accounts in this organizational directory only (Single tenant)
  6. Configure Redirect URI:
  7. Platform: Web
  8. URI: https://spsa.yourdomain.com/guacamole/
  9. Click Register

Step 2: Note Client ID and Tenant ID

After registration, note the following from the Overview page:

Value Description
Application (client) ID Your Client ID
Directory (tenant) ID Your Tenant ID

Step 3: Enable Implicit Flow

  1. Navigate to Authentication
  2. Under Implicit grant and hybrid flows:
  3. Enable ID tokens (used for implicit and hybrid flows)
  4. Click Save

Step 4: Configure API Permissions

  1. Navigate to API permissions
  2. Ensure the following permissions are present:
  3. openid
  4. profile
  5. email
  6. User.Read

Step 5: Configure Groups Claims (Optional)

To pass group membership to SPSA:

  1. Navigate to Token configuration
  2. Click Add groups claim
  3. Select Security groups
  4. Under ID: Enable Group ID
  5. Click Add

Step 6: Construct Discovery URL

The OpenID Connect Discovery URL for Entra ID:

https://login.microsoftonline.com/{TENANT-ID}/v2.0/.well-known/openid-configuration

Replace {TENANT-ID} with your Directory (tenant) ID from Step 2.

Step 7: Configure SPSA for OIDC

Contact Skillplan support to configure SPSA with your OIDC settings. You will need:

Parameter Value
Authorization Endpoint https://login.microsoftonline.com/{TENANT-ID}/oauth2/v2.0/authorize
JWKS Endpoint https://login.microsoftonline.com/{TENANT-ID}/discovery/v2.0/keys
Issuer https://login.microsoftonline.com/{TENANT-ID}/v2.0
Client ID Application (client) ID from Step 2
Redirect URI https://spsa.yourdomain.com/guacamole/
Scope openid profile email
Username Claim preferred_username
Groups Claim groups (if configured in Step 5)

Step 8: Create SPSA Users

  1. Log in to SPSA Portal with local admin account
  2. Go to SettingsUsers
  3. Create users with usernames matching Entra ID (typically email or UPN)
  4. Important: Do NOT set a password for OIDC users
  5. Assign appropriate connection permissions

Conditional Access Policies

When using Entra ID, you can leverage Conditional Access Policies for enhanced security:

Policy Description
Require MFA Force multi-factor authentication via Entra ID
Location-based Restrict access by geographic location
Device Compliance Require compliant/managed devices
Risk-based Block risky sign-ins
Session Controls Limit session duration

Defense in Depth

Conditional Access Policies in Entra ID complement SPSA's built-in MFA for layered security.

Configure Conditional Access

  1. In Azure Portal, navigate to Microsoft Entra IDSecurityConditional Access
  2. Click New policy
  3. Configure:
  4. Users: Select users/groups
  5. Cloud apps: Select your SPSA application
  6. Conditions: Configure location, device, risk level
  7. Grant: Require MFA, compliant device, etc.
  8. Enable policy and save

Troubleshooting

SAML Issues

Problem Symptom Solution
Validation Error "SAML validation failed" Verify Entity ID and Callback URL match exactly (including trailing slash)
User Not Found Login succeeds but "User not found" Create user in SPSA with exact email address from Entra ID; do NOT set password
Time Sync Error Intermittent failures Ensure SPSA time is synchronized (max 5 minutes drift allowed)
Certificate Error SSL/TLS errors Verify SPSA has valid SSL certificate

OIDC Issues

Problem Symptom Solution
No ID Token Redirect works but no login Enable "ID tokens" in Authentication settings
Missing Groups Auth works but no group membership Add groups claim in Token configuration
Redirect Mismatch Error after Entra ID login Verify Redirect URI matches exactly in App Registration
Invalid Issuer Token validation fails Verify Issuer URL includes correct Tenant ID

General Issues

Problem Solution
Cannot access SPSA after SSO config Use local admin account to troubleshoot; local auth remains available
Users see wrong connections Verify user-to-connection permissions in SPSA
Session timeout too short Adjust token validity settings

Best Practices

Security Recommendations

  1. Always use HTTPS - SPSA uses Caddy for automatic SSL
  2. Implement Conditional Access - Use Entra ID policies for MFA, location, device compliance
  3. Use Groups for Access Management - Create dedicated Entra ID groups for SPSA access
  4. Limit Network Access - SPSA should only be accessible to authorized networks
  5. Enable Audit Logging - Monitor Entra ID sign-in logs and SPSA session history
  6. Regular Access Reviews - Periodically review user access in both Entra ID and SPSA

User Management

Practice Recommendation
User Creation Create SPSA users matching Entra ID identities
Password Policy Do NOT set passwords for SSO users
Group Mapping Use Entra ID groups for connection access control
Offboarding Disable in Entra ID AND remove from SPSA

Support

For authentication setup assistance:
Email support@skill-plan.com
Website https://www.skill-plan.com