Akuity Platform SSO
The Akuity Platform supports the following Single Sign-On (SSO) providers:
- Microsoft (Azure AD)
- Google Workspace
- Okta
- OpenID Connect
- SAML
Akuity Platform SSO is available on Enterprise plans only. Please contact our Sales Team to access the feature.
Note that this feature only applies to the Akuity Platform, and is separate from SSO for Argo CD. Argo CD SSO is available in all Professional and Enterprise plans.
Configuring SSO
The admin
or owner
role on the Organization is required to configure SSO.
To configure SSO for an Organization on the Akuity Platform:
-
Go to
Organization >SSO . -
Click
Add Configuration .
- Microsoft (Azure AD)
- Google Workspace
- Okta
- OpenID Connect
- SAML
-
Register an application with the Microsoft identity platform with the following settings:
- Set Redirect URI to
https://auth.akuity.io/login/callback
- Set Redirect URI to
-
Add the following Delegated Permissions to the registered application:
Users > User.Read
Directory > Directory.Read.All
-
Populate the configuration details inside the form:
- Client ID: Application (client) ID
- Client Secret: Client Secret
- Azure AD Domain: Your Azure AD domain name. You can find this on your Azure AD directory's overview page in the Microsoft Azure portal.
- Domain Aliases: Additional domains to match organization members (e.g.
some-org.com
). - Auto Add Member: Allow your organization members to join your organization with the
member
role automatically.
- Test the connection.
-
Register an application to the Google Workspace with the following settings:
- Authorized JavaScript origins to
https://auth.akuity.io
- Set Redirect URI to
https://auth.akuity.io/login/callback
- Authorized JavaScript origins to
-
Populate the configuration details inside the form:
- Client ID: Application (client) ID
- Client Secret: Client Secret
- Google Workspace Domain: Google Workspace domain name for your organization.
- Domain Aliases: Additional domains to match organization members (e.g.
some-org.com
). - Auto Add Member: Allow your organization members to join your organization with the
member
role automatically.
-
Test the connection.
-
Create an Okta OIDC Application.
- In your Okta Admin Dashboard, Select
Applications >Applications , andCreate App Integration . - Select
Create New App . - Choose
OIDC as theSign-in method andWeb Application asApplication Type . - Set
Sign-in redirect URIs withhttps://auth.akuity.io/login/callback
and selectCreate . - Copy your
Client ID
andClient Secret
.
- In your Okta Admin Dashboard, Select
-
Populate the configuration details on the form.
- Client ID: Okta OIDC Application Client ID
- Client Secret: Okta OIDC Application Client Secret
- Okta Domain: Your Okta domain.
- Domain Aliases: Additional domains to match organization members (e.g.
some-org.com
). - Auto Add Member: Allow your organization members to join your organization with the
member
role automatically.
-
Test the connection.
-
Create an OIDC Application.
- Set Allowed Callback URL to
https://auth.akuity.io/login/callback
- Set Allowed Callback URL to
-
Populate the configuration details on the form.
- Client ID: OIDC Application Client ID
- Email Domain: Your organization's domain name
- Domain Aliases: Additional domains to match organization members (e.g.
some-org.com
). - Channel:
Front Channel
usesresponse_mode=form_post
andresponse_type=id_token
Back Channel
usesresponse_type=code
- Discovery URL: OIDC Discovery URL to fill Issuer details
- Issued details:
- Client Secret: OIDC Application Client Secret (required for the
Back Channel
) - Issuer: URL of the Issuer Identifier.
- Authorization Endpoint: URL of the OpenID Provider's OAuth 2.0 Authorization Endpoint.
- Token endpoint: URL of the OpenID Provider's OAuth 2.0 Token Endpoint (required for the
Back Channel
). - Jwks URL: URL of the OpenID Provider's JSON Web Key Set document.
- Client Secret: OIDC Application Client Secret (required for the
- Auto Add Member: Allow your organization members to join your organization with the
member
role automatically.
-
Test the connection.
-
Create an OIDC Application.
-
Set Allowed Callback URL to
https://auth.akuity.io/login/callback?connection={your organization id}
-
Set Entity ID to
urn:auth0:akuity:{your organization id}
-
Organization ID can be found in the top-right side of the
Organization
page.
-
-
Populate the configuration details on the form.
- Domain: Your organization's domain name
- Domain Aliases: Additional domains to match organization members (e.g.
some-org.com
). - Configuration (XML): Use Metadata XML to configure SAML SSO.
- Configuration (Manual): Manually configure SAML SSO.
- Sign-In Endpoint: SAML single login URL.
- Disable Sign-out: When disabled, a specific Sign Out URL can be set.
- Sign-Out Endpoint: SAML single logout URL.
- Sign Request: When enabled, the SAML authentication request will be signed.
- Signature Algorithm: Algorithm to use to sign the SAML assertions.
- Digest Algorithm: Algorithm to use to the sign request digest
- Base64 Encoded Signing Cert: Base64 encoded signing certificate
- Protocol Binding: HTTP binding supported by the IdP
-
Test the connection.
OIDC Mapping
OIDC mapping feature is only available if SSO is configured.
To configure OIDC mapping for an Organization on the Akuity Platform:
-
Go to
Organization >SSO . -
Click
Add New Rule . -
In the
Add OIDC Group Mapping select the role and specify the correspondingOIDC Group for your provider. -
Click the
Add button.
In the SSO settings, if the member
role automatically.