Akuity Platform SSO

The Akuity Platform supports the following Single Sign-On (SSO) providers:

• Microsoft (Azure AD)
• Google Workspace
• Okta
• OpenID Connect
• SAML

info

Akuity Platform SSO is available on Enterprise plans only. Please contact our Sales Team to access the feature.

Note that this feature only applies to the Akuity Platform, and is separate from SSO for Argo CD. Argo CD SSO is available in all Professional and Enterprise plans.

Configuring SSO

note

The owner role on the Organization is required to configure SSO.

To configure SSO for an Organization on the Akuity Platform:

1. Go to Organization > SSO.

   

2. Click Add Configuration.

Microsoft (Azure AD)

3. Register an application with the Microsoft identity platform with the following settings:

   • Set Redirect URI to https://auth.akuity.io/login/callback

4. Add the following Delegated Permissions to the registered application:

   • Users > User.Read
   • Directory > Directory.Read.All

5. Generate a client secret.

6. Populate the configuration details inside the form:

   • Client ID: Application (client) ID
   • Client Secret: Client Secret
   • Azure AD Domain: Your Azure AD domain name. You can find this on your Azure AD directory's overview page in the Microsoft Azure portal.
   • Domain Aliases: Additional domains to match organization members (e.g. some-org.com).
   • Auto Add Member: Allow your organization members to join your organization with the member role automatically.

6. Test the connection.

Google Workspace

3. Register an application to the Google Workspace with the following settings:

   • Authorized JavaScript origins to https://auth.akuity.io
   • Set Redirect URI to https://auth.akuity.io/login/callback

4. Populate the configuration details inside the form:

   • Client ID: Application (client) ID
   • Client Secret: Client Secret
   • Google Workspace Domain: Google Workspace domain name for your organization.
   • Domain Aliases: Additional domains to match organization members (e.g. some-org.com).
   • Auto Add Member: Allow your organization members to join your organization with the member role automatically.

   

5. Test the connection.

Okta

3. Create an Okta OIDC Application.

   • In your Okta Admin Dashboard, Select Applications > Applications, and Create App Integration.
   • Select Create New App.
   • Choose OIDC as the Sign-in method and Web Application as Application Type.
   • Set Sign-in redirect URIs with https://auth.akuity.io/login/callback and select Create.
   • Copy your Client ID and Client Secret.
   • (Optional) You can configure Initiate login URI to skip Akuity login page.
     • Set Login initiated by under General Settings as Either Okta or App
     • Set Login flow as OIDC Compliant
     • Set Initiate login URI as https://akuity.cloud/api/auth/login/sso/<your-organization-id> (ID can be found in Organization tab in Akuity Dashboard)

4. Populate the configuration details on the form.

   • Client ID: Okta OIDC Application Client ID
   • Client Secret: Okta OIDC Application Client Secret
   • Okta Domain: Your Okta domain.
   • Domain Aliases: Additional domains to match organization members (e.g. some-org.com).
   • Auto Add Member: Allow your organization members to join your organization with the member role automatically.

   

5. Test the connection.

OpenID Connect

3. Create an OIDC Application.

   • Set Allowed Callback URL to https://auth.akuity.io/login/callback

4. Populate the configuration details on the form.

   • Client ID: OIDC Application Client ID
   • Email Domain: Your organization's domain name
   • Domain Aliases: Additional domains to match organization members (e.g. some-org.com).
   • Channel:
     • Front Channel uses response_mode=form_post and response_type=id_token
     • Back Channel uses response_type=code
   • Discovery URL: OIDC Discovery URL to fill Issuer details
   • Issued details:
     • Client Secret: OIDC Application Client Secret (required for the Back Channel)
     • Issuer: URL of the Issuer Identifier.
     • Authorization Endpoint: URL of the OpenID Provider's OAuth 2.0 Authorization Endpoint.
     • Token endpoint: URL of the OpenID Provider's OAuth 2.0 Token Endpoint (required for the Back Channel).
     • Jwks URL: URL of the OpenID Provider's JSON Web Key Set document.
   • Auto Add Member: Allow your organization members to join your organization with the member role automatically.

   

5. Test the connection.

SAML

3. Create an OIDC Application.

   • Set Allowed Callback URL to https://auth.akuity.io/login/callback?connection={your organization id}

   • Set Entity ID to urn:auth0:akuity:{your organization id}

   • Organization ID can be found in the top-right side of the Organization page.

     

4. Populate the configuration details on the form.

   • Domain: Your organization's domain name
   • Domain Aliases: Additional domains to match organization members (e.g. some-org.com).
   • Configuration (XML): Use Metadata XML to configure SAML SSO.
   • Configuration (Manual): Manually configure SAML SSO.
     • Sign-In Endpoint: SAML single login URL.
     • Disable Sign-out: When disabled, a specific Sign Out URL can be set.
     • Sign-Out Endpoint: SAML single logout URL.
     • Sign Request: When enabled, the SAML authentication request will be signed.
     • Signature Algorithm: Algorithm to use to sign the SAML assertions.
     • Digest Algorithm: Algorithm to use to the sign request digest
     • Base64 Encoded Signing Cert: Base64 encoded signing certificate
     • Protocol Binding: HTTP binding supported by the IdP

   

5. Test the connection.

OIDC Mapping

note

OIDC mapping feature is only available if SSO is configured.

To configure OIDC mapping for an Organization in the Akuity Platform:

1. Go to Organization > SSO.

   

2. Click Add New Rule.

   

3. In the Add OIDC Group Mapping select the role and specify the corresponding OIDC Group for your provider.

   

4. Click the Add button.

note

In the SSO settings, if the Auto Add Member is checked the new user willjoin your organization with the member role automatically.

OIDC Team Mapping

This feature allows you to map users with a specific OIDC group to a team in your organization.

Like standard OIDC Mapping, OIDC Team Mapping is only available if SSO is configured. In addition, your organization must have at least one Team.

To configure this feature for an Organization in the Akuity Platform:

1. Go to Organization > SSO.

   

2. Scroll down to the "OIDC Team Mapping" section and click Add New Mapping.

   

3. In the modal that appears, specify an OIDC group and select an existing team from the dropdown.

   

4. Click the Add button.

Now, when a user logs in with the specified OIDC group, they will be added to the selected team in your organization.