Skip to main content

Single Sign-On

This article talks about setting up OIDC in the iceDQ application. Users can integrate iceDQ with third-party identity providers (IdP) like Okta, Azure AD, AWS SSO, and others using the OIDC protocol. On enabling this feature, users will be directed to the IdP's sign-in page to enter their SSO credentials, already stored in the IdP.

Steps to configure OIDC in iceDQ

  1. Click New Identity Provider to add a new OIDC provider.
  2. Use alias as oidc or any other valid OIDC name.
  3. Enter Display Name (this field will be visible on the login screen to inform the user to use SSO for login).
  4. Under OpenID Connect Setting, click on the check box to use the Discovery Endpoint that you will receive from the OIDC Administrator.
  5. Under Client Authentication, select Client secret send as post.
  6. Client ID (Please use the client ID that you received from the OIDC Administrator.)
  7. Client Secret (Please use the client secret that you received from the OIDC Administrator.)
  8. Save the configuration and check the login screen with the SSO button.

Okta - 1

Okta - 2

Steps to configure OIDC App in OKTA

To set up Okta in iceDQ nextGen, please follow the below process.

Create OIDC App in Okta

Create an app integration that represents the application you want to add authentication to with Okta:

  1. Go to Applications > Applications in the Admin Console.
  2. Click Create App Integration.
  3. Select OIDC—OpenID Connect as the sign-in method.
  4. Select Web Application as the application type, and then click Next.

On the Web Application Integration page:

  1. Change the app integration name.
  2. Do not select Require Demonstration of Proof-of-Possession (DPoP).
  3. Select Grant Type as Client Credentials Client acting on behalf of a user—select Authorization Code and Implicit (hybrid).
  4. Sign-in redirect URIs (get the domain name from the requester along with the correct realm and alias; it's part of the redirect URI under General Settings). https://DOMAIN-NAME/auth/realms/iam.icedq/broker/oidc/endpoint
  5. Sign-out redirect URIs (get the domain name from the requester along with the correct realm and alias; it's part of the redirect URI under General Settings). https://DOMAIN-NAME/auth/realms/iam.icedq/broker/oidc/endpoint/logout_response
Important

Be sure to use correct realms iam.icedq and alias oidc in example mentioned in step 4 and 5.

  1. Assignments Limit access to selected groups.
  2. Save the General Setting.

Create Client ID and Issuer

  1. Open the created app.
  2. Click General.
  3. Click and note the client ID and secret key to share with the requester.
  4. Click Sign On.
  5. Select and note the issuer from the drop-down.
  6. Click Save.

Please refer below to the Okta configurations in the OKTA app.

Okta - 1

Okta - 2

Okta - 3

Okta - 4

Generate Metadata URL

To form a metadata URL

  1. Log in to Okta.
  2. Click the account information.
  3. Click the Copy to Clipboard icon next to the issuer domain name as shown below.
  4. Copy the issuer domain name as shown below.
  5. Replace 'yourOktaDomain' in URL https://yourOktaDomain/.well-known/openid-configuration with the issuer domain name copied in the previous step. For more information, refer to https://developer.okta.com/docs/reference/api/oidc/#well-known-openid-configuration.
Last updated on