Skip to main content

Single Sign ON (SSO)

As an alternative to the standard email / password login, eProtein Discovery™ cloud-enabled system supports integration with external identity providers (IDPs) for single sign-on (SSO). In order to start using SSO, an identity provider (IDP) needs to be configured by the platform’s Administrator. Supported types of identity providers:

  • Google Workspace
  • Microsoft Entra ID
  • OpenID Connect v1.0

When an identity provider is configured and enabled, it appears on the login screen as a sign-in option. The configured identity provider must include the user's email, first name, and last name to be used for authentication.

SSOfig

Configuring Organisation Identity Provider (IDP) - Administrator

Access to IDP configuration is available to the platform Administrators in the “Settings” menu. To add new IDP integration, click the “New identity provider“ button. The configuration parameters will vary depending on the type of IDP.

Configuring Google IDP - Administrator

As a prerequisite, your organisation's IT department must set up OAuth client integration in the Google workspace and provide the eProtein Discovery™ platform

Administrator with the “Client ID” and “Client Secret”.

  1. Enter a display name in the "Name" field. This name will appear on the corresponding button on the login screen.
  2. Select type “Google“.
  3. Enter the “Client ID“ and “Client Secret“.
  4. Enable the IDP if you want it to be immediately available for login (can be enabled later).
  5. Copy the “Redirect URL” and send it to your IT department to configure it as a valid redirect URL in your organisation's Google workspace.
  6. Click “Confirm“.

Configuring Microsoft IDP - Administrator

As a prerequisite, your organisation's IT department must set up OAuth client integration in the Microsoft Entra ID workspace and provide the eProtein Discovery™ platform Administrator with the “Client ID”, “Client Secret”, and “Microsoft Tenant ID“. Microsoft Tenant ID must be specified as eProtein Discovery™ platform does not

support multi-tenant access for Microsoft accounts.

  1. Enter a display name in the "Name" field. This name will appear on the corresponding button on the login screen.
  2. Select type “Microsoft“.
  3. Enter the “Client ID“, “Client Secret“, and “Microsoft Tenant ID“.
  4. Enable the IDP if you want it to be immediately available for login (can be enabled later).
  5. Copy the “Redirect URL” and send it to your IT department to configure it as a valid redirect URL in your organisation's Microsoft Entra ID.
  6. Click “Confirm“.

Configuring OpenID Connect v1.0 IDP - Administrator

As a prerequisite, your organisation's IT department must confirm that your identity provider supports the OpenID Connect v1.0 protocol. "Client ID," "Client Secret," and "Discovery URL" need to be provided to the eProtein Discovery™ platform Administrator. Additionally, your organisation’s IT department should inform the Administrator if Proof Key for Code Exchange (PKCE) should be enabled for added security.

  1. Enter a display name in the "Name" field. This name will appear on the corresponding button on the login screen.
  2. Select type “OpenID Connect v1.0”.
  3. Enter the “Client ID“, “Client Secret“, and “Discovery URL“.
  4. Enable the IDP if you want it to be immediately available for login (can be enabled later).
  5. Enable / disable PKCE as recommended by the IT department.
  6. Copy the “Redirect URL” and send it to your IT department to configure it as a valid redirect URL in your organisation's Google workspace.
  7. Inform your IT department that the “Logout Endpoint URL” must be configured to “Redirect ULR“ + “/logout_response”. For example, if “Redirect URL” is https://auth.eu.nuclera.app/realms/organisation/broker/idp.xxx/endpoint, then the “Logout Endpoint URL“ must be https://auth.eu.nuclera.app/realms/organisation/broker/idp.xxx/endpoint/logout_resp onse.
  8. Click “Confirm“.

Inviting User Using SSO - Administrator

When using SSO, the user also must be invited by an Administrator. Without an invitation, the user will not be able to get access to the platform, even if previously configured IDP can authenticate this user successfully. When inviting a user, the Administrator can check the “Invite using SSO“ box. The user will be added to the eProtein Discovery™ platform, a link to the platform’s login page will be sent to the user

in an email. Users will not be prompted to create a password, so the email and password login will not be available for this user.

Using Sign Sign-On - Any user

If the corporate identity provider has been set up by an Administrator, the user can start using it by clicking a button on the login screen. If a user has already been invited and previously used an email and password to log in, this type of login will continue to work. In this case it is also possible to switch to using the SSO login method only. To do this, “SSO only access“ can be enabled in the “Edit Profile“ menu. To enable “SSO only access“, existing user’s sessions must be authenticated using SSO. If SSO is used, first name and last name cannot be changed in the “Edit Profile“ menu, as they are obtained directly from the configured organisation identity provider. To bring back email and password authentication, “SSO only access” can be disabled. In this case an email with a link to set up a new password will be sent to the user. Until “SSO only access“ is switched off, “Reset Password” will not be available for the non-Administrators.

Frequently Asked Questions (FAQ)

General

  1. I want to migrate users of my organisation to use single sign-on (SSO) instead of email and password.
  • As an Administrator, you must configure an identity provider and ensure that it is working correctly. After that, each user can enable “SSO only access“ in the “Edit Profile”.
  1. I want to migrate users of my organisation to use email and password instead of single sign-on (SSO).
  • As an Administrator, go to the "Manage Users" menu and request a password reset for all users in your organisation who have "SSO only access." This will allow them to set a new password. For these users "SSO only access" will be disabled.
  1. In my organisation, SSO is used. I need to invite external collaborators who cannot be authenticated by our identity provider.
  • External users can be invited to authenticate using an email and password. The administrator must ensure that "Invite using SSO" is unchecked when sending the invitation.
  1. I’m getting “409 Registration incomplete” when using SSO.
  • This error can occur if your organisation’s identity provider does not contain your user’s email, first name, and last name. Make sure that you have this information specified in your identity provider. If it does not help, contact Nuclera Technical Support team.

Technical issues (software / hardware)

  1. The user forgot the password.
  • Users can reset their password from the login screen by clicking the "Forgot your password?" button. However, if a user has enabled "SSO only access" or was invited via SSO, the password cannot be reset. Administrators can request a password reset from the "Manage Users" menu, which is accessible to platform administrators.
  1. The administrator enabled "SSO only access" but lost access to the eProtein DiscoveryTM cloud-enabled platform due to a misconfigured SSO identity provider.




Nuclera Technical Support:
UK Phone +44 1223 942 761
US Phone: +1 508-306-1297
Email: techsupport@nuclera.com

Offices:
Nuclera UK (HQ):
One Vision Park, Station Road, Cambridge, CB24 9NP, UK


Nuclera USA: 1000 Technology Park Drive, Suite B, Billerica MA 01821, USA www.nuclera.com

Copyright © 2025 Nuclera Ltd. All trademarks are the property of Nuclera, Ltd. Visit nuclera.com/legal for more info.