Skip to content

Single Sign-On (SSO)

Supported Identity Providers

Portal supports OpenID Connect (OIDC) compatible identity providers (IdP). This includes but is not limited to: Okta, Keycloak, Ping, Google, and Azure AD. Any IdP that is OIDC compliant should be compatible.

Once SSO is enabled, users have two ways to login. They can login at the Portal by selecting "Continue with Private SSO" or they can can login via their IdP's application dashboard (Okta User Home, PingOne Application Portal, Microsoft My Applications, etc.).

  • OpenID Compatible Identity Provider
  • Scopes: oidc (default), email, profile
  • Grant Type: Authorization Code
  • Authorization Type: POST
Field Value
Sign-in redirect URIs https://portal.horizon3ai.com
https://auth.horizon3ai.com/oauth2/idpresponse
Field Value
Sign-in redirect URIs https://portal.horizon3ai.eu
https://auth.horizon3ai.eu/oauth2/idpresponse

Enable Single Sign-On

The following sections provide the steps for setting up the SSO Provider for a Company Account. Note that some sections need to be followed by the Portal Org Admin and others by the Identity Team Admin.

Build IdP App

To be completed by someone with permissions for Identity Team Admin

Check out our Identity Provider Guides section for some helpful direction on how to build and configure your app.

For IdPs not covered in our guides, we'll need the below outputs at a minimum. Once the app is built, provide the Portal Org Admin who will be creating the SSO Provider in Portal with the following information:

  • Client ID
  • Secret ID
  • Issuer URL - Your IdP documentation should point you to the correct path. Typically https://<yourIdPdomain>/<tenantID>/.well-known/openid-configuration.
  • Client ID
  • Secret ID
  • Issuer URL (https://your_company_domain.okta.com/.well-known/openid-configuration)
  • Client ID
  • Secret ID
  • Issuer URL (https://login.microsoftonline.com/<uuid>/v2.0/.well-known/openid-configuration)

Create SSO Provider in Portal

To be completed by someone with permissions for Portal Org Admin

Navigate to the User Management page. To access the User Management menu, navigate to Settings by clicking the user profile button in the top right of Portal.

Then click User Management.

Click the Add Provider button.

Screenshot

Populate the Add Provider form with the details provided by your Identity Team Admin from the Build IdP App section.

Screenshot

An Initiator URL value will be provided in Portal when the SSO Provider has finished updating. Test your SSO configuration and then provide this value to your Identity Team Admin.

Note

It can take 30 - 60 seconds for the SSO Provider to return the Initiator URL.

Screenshot

Test SSO Configuration

To be completed by someone with permissions for Portal Org Admin

The Test SSO button allows Org Admins to test the SSO configuration prior to sending the Initiator URL value to their Identity Team Admin.

Screenshot

Configure Portal Access via IdP App

To be completed by someone with permissions for Identity Team Admin

Add the Initiator URL value as the Initiate Login URI to your IdP app to allow your users to access Portal via your IdP application.

Edit/Delete SSO Provider

The SSO Provider can be deleted by clicking the vertical ellipsis in the Single Sign-On section

Screenshot