Single Sign-On (SSO)
Supported Identity Providers
Portal supports OpenID Connect (OIDC) compatible identity providers (IdP). This includes but is not limited to: Okta, Keycloak, Ping, Google, and Azure AD. Any IdP that is OIDC compliant should be compatible.
Once SSO is enabled, users have two ways to login. They can login at the Portal by selecting "Continue with Private SSO" or they can can login via their IdP's application dashboard (Okta User Home, PingOne Application Portal, Microsoft My Applications, etc.).
- OpenID Compatible Identity Provider
- Scopes: oidc (default), email, profile
- Grant Type: Authorization Code
- Authorization Type: POST
Field | Value |
---|---|
Sign-in redirect URIs | https://portal.horizon3ai.com https://auth.horizon3ai.com/oauth2/idpresponse |
Field | Value |
---|---|
Sign-in redirect URIs | https://portal.horizon3ai.eu https://auth.horizon3ai.eu/oauth2/idpresponse |
Enable Single Sign-On
The following sections provide the steps for setting up the SSO Provider for a Company Account. Note that some sections need to be followed by the Portal Org Admin and others by the Identity Team Admin.
Build IdP App
To be completed by someone with permissions for Identity Team Admin
Check out our Identity Provider Guides section for some helpful direction on how to build and configure your app.
For IdPs not covered in our guides, we'll need the below outputs at a minimum. Once the app is built, provide the Portal Org Admin who will be creating the SSO Provider in Portal with the following information:
- Client ID
- Secret ID
- Issuer URL - Your IdP documentation should point you to the correct path. Typically
https://<yourIdPdomain>/<tenantID>/.well-known/openid-configuration
.
- Client ID
- Secret ID
- Issuer URL (
https://your_company_domain.okta.com/.well-known/openid-configuration
)
- Client ID
- Secret ID
- Issuer URL (
https://login.microsoftonline.com/<uuid>/v2.0/.well-known/openid-configuration
)
Create SSO Provider in Portal
To be completed by someone with permissions for Portal Org Admin
Navigate to the User Management page. To access the User Management menu, navigate to Settings
by clicking the user profile button in the top right of Portal.
Then click User Management
.
Click the Add Provider
button.
Populate the Add Provider form with the details provided by your Identity Team Admin from the Build IdP App section.
An Initiator URL value will be provided in Portal when the SSO Provider has finished updating. Test your SSO configuration and then provide this value to your Identity Team Admin.
Note
It can take 30 - 60 seconds for the SSO Provider to return the Initiator URL.
Test SSO Configuration
To be completed by someone with permissions for Portal Org Admin
The Test SSO
button allows Org Admins to test the SSO configuration prior to sending the Initiator URL
value to their Identity Team Admin.
Configure Portal Access via IdP App
To be completed by someone with permissions for Identity Team Admin
Add the Initiator URL value as the Initiate Login URI to your IdP app to allow your users to access Portal via your IdP application.
Edit/Delete SSO Provider
The SSO Provider can be deleted by clicking the vertical ellipsis in the Single Sign-On section