Single Sign-On (SSO)

Beta

If you encounter issues please contact your CS rep.
User experience is subject to change.

Supported Identity Providers

Portal supports OpenID Connect (OIDC) compatible identity providers (IdP). This includes but is not limited to: Okta, Keycloak, Ping, Google, and Azure AD. Any IdP that is OIDC compliant should be compatible.

Once SSO is enabled, users have two ways to login. They can login at the Portal by selecting "Continue with Private SSO" or they can can login via their IdP's application dashboard (Okta User Home, PingOne Application Portal, Microsoft My Applications, etc.).

General RequirementsUS Portal SpecificsEU Portal Specifics

• OpenID Compatible Identity Provider
• Scopes: oidc (default), email, profile
• Grant Type: Authorization Code
• Authorization Type: POST

Field	Value
Sign-in redirect URIs	https://portal.horizon3ai.com https://auth.horizon3ai.com/oauth2/idpresponse

Field	Value
Sign-in redirect URIs	https://portal.horizon3ai.eu https://auth.horizon3ai.eu/oauth2/idpresponse

Enable Single Sign-On

The following sections provide the steps for setting up the SSO Provider for a Company Account. Note that some sections need to be followed by the Portal Org Admin and others by the Identity Team Admin.

Build IdP App

Identity Team Admin Persona

Check out our Identity Provider Guides section for some helpful direction on how to build and configure your app.

For IdPs not covered in our guides, we'll need the below outputs at a minimum. Once the app is built, provide the Portal Org Admin who will be creating the SSO Provider in Portal with the following information:

Generic OpenID ProviderOktaAzure

• Client ID
• Secret ID
• Issuer URL - Your IdP documentation should point you to the correct path. Typically https://<yourIdPdomain>/<tenantID>/.well-known/openid-configuration.

• Client ID
• Secret ID
• Issuer URL (https://your_company_domain.okta.com/.well-known/openid-configuration)

• Client ID
• Secret ID
• Issuer URL (https://login.microsoftonline.com/<uuid>/v2.0/.well-known/openid-configuration)

Create SSO Provider in Portal

Portal Org Admin Persona

Navigate to the User Management page. To access the User Management menu, navigate to Settings by clicking the user profile button in the top right of Portal.

Then click User Management.

Click the Add Provider button.

Populate the Add Provider form with the details provided by your Identity Team Admin from the Build IdP App section.

An Initiator URL value will be provided in Portal when the SSO Provider has finished updating. Test your SSO configuration and then provide this value to your Identity Team Admin.

Note

It can take 30 - 60 seconds for the SSO Provider to return the Initiator URL.

Test SSO Configuration

Portal Org Admin Persona

The Test SSO button allows Org Admins to test the SSO configuration prior to sending the Initiator URL value to their Identity Team Admin.

Configure Portal Access via IdP App

Identity Team Admin Persona

Add the Initiator URL value as the Initiate Login URI to your IdP app to allow your users to access Portal via your IdP application.

Edit/Delete SSO Provider

The SSO Provider can be deleted by clicking the vertical ellipsis in the Single Sign-On section