Single Sign-On (SSO)¶
This page walks you through identifying and integrating supported identity providers with NodeZero.
Supported Identity Providers¶
The NodeZero Portal supports OpenID Connect (OIDC)–compatible identity providers (IdP). This includes, but is not limited to: Okta, Keycloak, Ping, Google, and Azure AD. Any IdP that is OIDC-compliant should be compatible.
Once SSO is enabled, users have two ways to log in. They can log in at the Portal by selecting "Continue with Private SSO" or they can can log in via their IdP's application dashboard (Okta User Home, PingOne Application Portal, Microsoft My Applications, etc.).
- OIDC-compatible identity provider
- Scopes: oidc (default), email, profile
- Grant type: authorization code
- Authorization type: POST
| Field | Value |
|---|---|
| Sign-in redirect URIs | https://portal.horizon3ai.com https://auth.horizon3ai.com/oauth2/idpresponse |
| Field | Value |
|---|---|
| Sign-in redirect URIs | https://portal.horizon3ai.eu https://auth.horizon3ai.eu/oauth2/idpresponse |
Enable Single Sign-On¶
The following sections provide the steps for setting up the SSO Provider for a Company Account. Note that some sections need to be followed by the NodeZero Portal's Org Admin, and others by the Identity Team Admin.
Build IdP App¶
To be completed by someone with permissions for Identity Team Admin
Check out our Identity Provider Guides section for some helpful direction on how to build and configure your app.
For IdPs not covered in our guides, we'll need the below outputs at a minimum. Once the app is built, provide the following information to the Portal Org Admin who will be creating the SSO Provider in the NodeZero Portal:
OIDC Discovery
When configuring the Issuer URL, do not include /.well-known/openid-configuration. This will be added automatically to your issuer for discovery.
- Client ID
- Client Secret
- Issuer URL - Your IdP documentation should point you to the correct path. Typically
https://<yourIdPdomain>/<tenantID>.
- Client ID
- Client Secret
- Issuer URL (
https://your_company_domain.okta.com)
- Client ID
- Client Secret
- Issuer URL (
https://login.microsoftonline.com/<uuid>/v2.0).- Make sure to replace
<uuid>with the UUID of the Azure app you created
- Make sure to replace
Create SSO Provider in Portal¶
To be completed by someone with permissions for Portal Org Admin
Navigate to the User Management page. To access the User Management menu, navigate to Settings by clicking the user profile button at the top right of the NodeZero Portal.
Then click User Management.
Click the Add Provider button.
Populate the Add Provider form with the details provided by your Identity Team Admin from the Build IdP App section.
An Initiator URL value will be provided in the NodeZero Portal when the SSO Provider has finished updating. Test your SSO configuration and then provide this value to your Identity Team Admin.
Latency
It can take 30–60 seconds for the SSO Provider to return the Initiator URL.
Test SSO Configuration¶
To be completed by someone with permissions for Portal Org Admin
The Test SSO button allows Org Admins to test the SSO configuration prior to sending the Initiator URL value to their Identity Team Admin.
Configure Portal Access via IdP App¶
To be completed by someone with permissions for Identity Team Admin
Add the Initiator URL value as the Initiate Login URI to your IdP app to allow your users to access the NodeZero Portal via your IdP application.
Edit/Delete SSO Provider¶
You can delete an SSO Provider by clicking the Actions () menu in the Single Sign-On section.
