LogoLogo
  • Welcome
  • For employees
    • Deutsches Manual
    • English Manual
      • Eurocard/SEB User Manual
    • Swedish Manual
    • Append Multiple Receipts
    • Bulk Upload Attendees
    • Invalid receipt or invoice
  • For Reviewers
    • Away Mode
    • Report Approval
  • For Finance & HR
    • Approval Chain
    • Calculation engine
    • Categories
    • Delegate Access
    • Deadlines
    • Employee Roles
    • Export Data
      • Agda [SWE]
      • Crona Lön [SWE]
      • Fortnox Lön [SWE]
      • Hogia Lön [SWE]
      • HR-plus [SWE]
      • Kontek [SWE]
      • Other Payroll-systems
      • D365, AX, Business Central, Navision
      • Fortnox, Visma [SWE]
      • NetSuite
      • Other Bookkeeping-systems
    • Export Templates
    • Handbooks
    • Manage Custom Fields
    • Manage Employees
    • Manage Expenses
  • Features
    • Bookkeeper Access
    • Carbon Footprint Estimates
    • Company policies
    • Eurocard Integration
    • Project Based Approval
    • Feature availability
  • For IT & Developers
    • Security and Privacy
    • Single sign-on
    • System Integrations
Powered by GitBook
On this page
  • Overview
  • Activate a ready-made integration
  • Manual setup
  • Advanced topics
  • Protocol details

Was this helpful?

  1. For IT & Developers

Single sign-on

Overview

Single Sign-On (SSO) is a mechanism by which you delegate login to a identity provider (IdP). This identity provider will decide what security checks to perform, for example requiring two-factor authentication. Another benefit is that employees can use the same password for many services.

For Microsoft Entra ID and Google Workspace we have ready-made integrations, but any identity providers supporting the OpenID-Connect protocol (OIDC) is supported.

To avoid interrupting the login flows for regular employees, you can temporary use the soft-mode to verify that SSO works as expected. See enforcement level below.

Activate a ready-made integration

  • Go to Settings -> Single sign-on.

  • Press the Create button.

  • Choose your identity provider.

  • Click the Begin external steps link, which will guide you through the setup.

  • Choose the enforcement level.

  • If you are using Microsoft Entra ID you must enter your tenant ID.

  • If you are using Google Workspace, your domain must also be verified. Ask us for help.

To activate Single Sign-on, you will need to be an Admin in Skovik and a Global Admin (Microsoft Entra ID) or Administrator (Google Workspace) in your IdP.

Manual setup

For IdPs where we don't have a ready-made integration, you can still setup OIDC manually, which should take little more than half an hour.

The following values are configured in Skovik for a manual setup:

  • issuer

  • token_endpoint

  • authentication_endpoint

  • client_id

  • client_secret (must be protected, treat it like a password)

The following redirect URIs must be whitelisted by the IdP:

  1. https://skovik.com/dz/login/oidc

  2. https://skovik.com/dz/login/oidc/native

Advanced topics

This section contains advanced details, the basics above are sufficient for most integrations.

Information for certain advanced cases:

  • We use the Authorization Code Flow (response_type=code).

  • The user’s email is provided as login_hint with the initial request, unless login hints are disabled.

  • The scopes openid and email are requested.

The email claim must match a known employee in the Skovik system (or an alternative claim key can be specified). Most authentication providers include the email claim by default, so typically no adjustment is required.

Protocol details

PreviousSecurity and PrivacyNextSystem Integrations

Last updated 13 days ago

Was this helpful?

For more information about the OpenID-Connect protocol, visit the .

OpenID Foundation