Company SSO

Evercam Dashboard supports Open ID Connect standard for SSO.

  • SAML (Security Assertion Markup Language) is not supported.

  • SCIM (System for Cross-domain Identity Management) of user and role provisioning is not supported.

  • User account provisioning is done individually when a user logs in to the dashboard with a company SSO.

An invite to a camera or a project is required to create an account.

When company SSO is not enabled, users can log in/sign up with an email and password or one of the public SSOs available (Google and Microsoft).

Upon an Enterprise customer request, Evercam enables custom SSOs for customer domains, i.e., password and public SSOs will be blocked for all users @company-domains and the company SSO will be mandatory. In this case, after a user signs up, he/she should be automatically added to the group (Company) based on his/her email.

So all users with @xxx.com as an email extension should be included in XXX group and then they can use XXX SSO.

✔️ Steps to add a new company SSO in the Evercam Dashboard

  1. Create/register an OIDC application in your Identity provider with the following configuration:

Parameter

Value

Notes

Name

Evercam

Ideally, this is an internal app name in your IDP directory

Supported Account types

Default: Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

App can be restricted to internal accounts within an organization directory.

Redirect_uris (web)

  • https://dash.evercam.io/auth/{id}

  • https://auth.evercam.io/realms/Evercam/broker/{id}/endpoint

{id} should be the company name or domain, ideally one word or a company name in kebab-case. Eg: evercam, evercam-uk, or evercam-engineering…

Authentication

Client id and Client secret

Client secret will be sent as post 

API permissions (scopes)

  • email

  • OpenID

  • profile

Evercam app will only need to know the user's email, first name and last name.

Token configuration

In AAD Optional claims

Please add family_name and given_name claims

Evercam Signup with SSO requires first name and last name

Response type

code

Also known as Oauth2-OIDC authorization code flow 

2. Once the app is created in the customer's IDP, It should be registered in the Evercam App to exchange secrets/certificates (this feature will be available soon for Company Admins, meanwhile, Evercam Support or Customer Support team can help set it up).

❗Required information

  1. SSO ID used when registering the app (the one populated in redirect_uris)

  2. client_id and client_secret

  3. Authorization URL: eg. https://login.microsoftonline.com/common/oauth2/v2.0/authorize 

  4. Token URL: eg. https://login.microsoftonline.com/common/oauth2/v2.0/token

  5. Logo: official logo URL or file (optional, can be empty)

  6. List of company domains: the SSO will be linked to all users @ one of the domains. At least one domain is required.