How to Implement Single Sign-on (SSO) for Sphere XG

1238888

Single Sign-on (SSO) connects Sphere XG to your company's identity system, creating a seamless authentication experience while enhancing security. This integration enables consistent access controls, simplified user management, and improved login experience for Sphere XG customers. Implementation typically takes one to two weeks with support from our Customer Success team.

Security Benefits

Beyond simplifying the login process, SSO provides significant security advantages for your organization. When you implement SSO, you can enforce your existing security policies consistently across Sphere XG. This means that security measures like multi-factor authentication (MFA), password complexity requirements, and session timeout policies that you have configured in your identity provider automatically apply to the Sphere XG access, too.

Your security team maintains centralized control over user access, enabling immediate deprovisioning when employees leave the organization. Additionally, SSO reduces your attack surface by eliminating separate passwords for Sphere XG, which helps protect against phishing attacks and password-related vulnerabilities.

Eligibility and Requirements

SSO is available for Sphere XG Enterprise subscription customers. To implement SSO, you need an active Enterprise subscription, an identity provider that supports OAuth 2.0/OpenID Connect or SAML 2.0, and administrative access to your identity system.

SSO Options

Sphere XG offers two SSO configurations to match different organizational needs and collaboration patterns.

Both SSO options require users to be invited to workspaces before they can log in. See Invite Users and Teams to a Workspace for details.

Workspace SSO

Workspace SSO enforces authentication through your identity provider for all members of a specific workspace. This option is ideal for organizations with strict security requirements or those operating in regulated industries.

Key characteristics:

  • All workspace members must authenticate through your identity provider.

  • External collaborators need accounts in your identity system.

  • Provides maximum security control over workspace access.

  • Supports view-only sharing via project links when login is not required.

Domain SSO

Domain SSO enforces authentication through your identity provider for users with your company's email domain while maintaining flexibility for external collaborators. This approach works well for organizations that frequently collaborate with external partners.

Key characteristics:

  • Users with your company domain authenticate through your identity provider.

  • External collaborators can use alternative authentication methods.

  • Existing domain users automatically migrate to SSO.

  • Balances security with collaboration flexibility.

Technical Compatibility

Sphere XG supports both OAuth 2.0/OpenID Connect and SAML 2.0 protocols for both SSO options. We have validated integration with:

  • Microsoft Azure Active Directory/Entra ID

  • Okta

  • Google

  • Auth0

  • OneLogin

  • Most SAML 2.0 or OAuth 2.0/OIDC compliant identity providers

This broad compatibility ensures that Sphere XG can integrate with your existing identity infrastructure regardless of your chosen provider.

User Experience

When SSO is activated, the login experience changes to provide seamless integration with your identity system. Users with your email domain will be automatically directed to your identity provider for authentication when they attempt to log in to Sphere XG.

New users will need workspace invitations before accessing Sphere XG, because automatic provisioning is currently not supported. The system maintains all existing permissions and project history for users migrating to SSO authentication, ensuring no disruption to ongoing work.

Support

To implement SSO or get assistance with configuration and troubleshooting, contact your Customer Success Manager or email customersuccess@holobuilder.com.