Akuity Platform SSO
The Akuity Platform supports the following Single Sign-On (SSO) providers:
- Microsoft (Azure AD)
- Google Workspace
- Okta
- OpenID Connect
- SAML
Akuity Platform SSO is available on Enterprise plans only. Please contact our Sales Team to access the feature.
Note that this feature only applies to the Akuity Platform, and is separate from SSO for Argo CD. Argo CD SSO is available in all Professional and Enterprise plans.
Configuring SSO
The owner
role on the Organization is required to configure SSO.
To configure SSO for an Organization on the Akuity Platform:
-
Go to Organization > SSO.
-
Click Add Configuration.
- Microsoft (Azure AD)
- Google Workspace
- Okta
- OpenID Connect
- SAML
-
Register an application with the Microsoft identity platform with the following settings:
- Set Redirect URI to
https://auth.akuity.io/login/callback
- Set Redirect URI to
-
Add the following Delegated Permissions to the registered application:
Users > User.Read
Directory > Directory.Read.All
-
Populate the configuration details inside the form:
- Client ID: Application (client) ID
- Client Secret: Client Secret
- Azure AD Domain: Your Azure AD domain name. You can find this on your Azure AD directory's overview page in the Microsoft Azure portal.
- Domain Aliases: Additional domains to match organization members (e.g.
some-org.com
). - Auto Add Member: Allow your organization members to join your organization with the
member
role automatically.
- Test the connection.
-
Register an application to the Google Workspace with the following settings:
- Authorized JavaScript origins to
https://auth.akuity.io
- Set Redirect URI to
https://auth.akuity.io/login/callback
- Authorized JavaScript origins to
-
Populate the configuration details inside the form:
- Client ID: Application (client) ID
- Client Secret: Client Secret
- Google Workspace Domain: Google Workspace domain name for your organization.
- Domain Aliases: Additional domains to match organization members (e.g.
some-org.com
). - Auto Add Member: Allow your organization members to join your organization with the
member
role automatically.
-
Test the connection.
Okta native integration does not support groups claim, please use generic SAML/OIDC instead if you want to use OIDC mapping features.
-
Create an Okta OIDC Application.
- In your Okta Admin Dashboard, Select Applications > Applications, and Create App Integration.
- Select Create New App.
- Choose OIDC as the Sign-in method and Web Application as Application Type.
- Set Sign-in redirect URIs with
https://auth.akuity.io/login/callback
and select Create. - Copy your
Client ID
andClient Secret
. - (Optional) You can configure
Initiate login URI to skip Akuity login page.- Set
Login initiated by underGeneral Settings asEither Okta or App - Set
Login flow asOIDC Compliant - Set
Initiate login URI as (ID can be found inhttps://akuity.cloud/api/auth/login/sso/<your-organization-id>
Organization tab in Akuity Dashboard)
- Set
-
Populate the configuration details on the form.
- Client ID: Okta OIDC Application Client ID
- Client Secret: Okta OIDC Application Client Secret
- Okta Domain: Your Okta domain.
- Domain Aliases: Additional domains to match organization members (e.g.
some-org.com
). - Auto Add Member: Allow your organization members to join your organization with the
member
role automatically.
-
Test the connection.
-
Create an OIDC Application.
- Set Allowed Callback URL to
https://auth.akuity.io/login/callback
- Set Allowed Callback URL to
-
Populate the configuration details on the form.
- Client ID: OIDC Application Client ID
- Email Domain: Your organization's domain name
- Domain Aliases: Additional domains to match organization members (e.g.
some-org.com
). - Channel:
Front Channel
usesresponse_mode=form_post
andresponse_type=id_token
Back Channel
usesresponse_type=code
- Discovery URL: OIDC Discovery URL to fill Issuer details
- Issued details:
- Client Secret: OIDC Application Client Secret (required for the
Back Channel
) - Issuer: URL of the Issuer Identifier.
- Authorization Endpoint: URL of the OpenID Provider's OAuth 2.0 Authorization Endpoint.
- Token endpoint: URL of the OpenID Provider's OAuth 2.0 Token Endpoint (required for the
Back Channel
). - Jwks URL: URL of the OpenID Provider's JSON Web Key Set document.
- Client Secret: OIDC Application Client Secret (required for the
- Auto Add Member: Allow your organization members to join your organization with the
member
role automatically.
-
Test the connection.
-
Create an OIDC Application.
-
Set Allowed Callback URL to
https://auth.akuity.io/login/callback?connection={your organization id}
-
Set Entity ID to
urn:auth0:akuity:{your organization id}
-
Organization ID can be found in the top-right side of the
Organization
page.
-
-
Populate the configuration details on the form.
- Domain: Your organization's domain name
- Domain Aliases: Additional domains to match organization members (e.g.
some-org.com
). - Configuration (XML): Use Metadata XML to configure SAML SSO.
- Configuration (Manual): Manually configure SAML SSO.
- Sign-In Endpoint: SAML single login URL.
- Disable Sign-out: When disabled, a specific Sign Out URL can be set.
- Sign-Out Endpoint: SAML single logout URL.
- Sign Request: When enabled, the SAML authentication request will be signed.
- Signature Algorithm: Algorithm to use to sign the SAML assertions.
- Digest Algorithm: Algorithm to use to the sign request digest
- Base64 Encoded Signing Cert: Base64 encoded signing certificate
- Protocol Binding: HTTP binding supported by the IdP
-
Test the connection.
OIDC Mapping
OIDC mapping feature is only available if SSO is configured.
OIDC mapping does not work for Okta native integration as Okta does not support groups claim. Please use generic SAML/OIDC option instead to connect with Okta if you want to use this feature.
To configure OIDC mapping for an Organization in the Akuity Platform:
-
Go to Organization > SSO.
-
Click Add New Rule.
-
In the Add OIDC Group Mapping select the role and specify the corresponding OIDC Group for your provider.
-
Click the Add button.
In the SSO settings, if the Auto Add Member is checked the new user willjoin your organization with the member
role automatically.
OIDC Team Mapping
OIDC Team Mapping does not work for Okta native integration as Okta does not support groups claim. Please use generic SAML/OIDC option instead to connect with Okta if you want to use this feature.
This feature allows you to map users with a specific OIDC group to a team in your organization.
Like standard OIDC Mapping, OIDC Team Mapping is only available if SSO is configured. In addition, your organization must have at least one Team.
To configure this feature for an Organization in the Akuity Platform:
-
Go to Organization > SSO.
-
Scroll down to the "OIDC Team Mapping" section and click Add New Mapping.
-
In the modal that appears, specify an OIDC group and select an existing team from the dropdown.
-
Click the Add button.
Now, when a user logs in with the specified OIDC group, they will be added to the selected team in your organization.