Configure SSO to support multiple tenants
Note
SSO multi-tenant support is not provided by default. If you need to support multiple tenants in your SSO configuration, contact Support and request it in addition to the SSO feature.
If you have multiple APEX AIOps Incident Management tenants (such as a test instance and a production instance) and need to enable the same SSO configuration for all of them, you must use the multi-tenant setup option to configure SSO.
Important
Be sure to use this method for SSO setup on multiple tenants; completing the SSO configuration separately for different tenants will fail to work consistently.
To configure SSO for multiple tenants:
Set up SSO for one of your tenants. Incident Management supports:
This first configured instance is your primary instance for your SSO configuration. When you enable SSO multi-tenancy on your subsequent instances, they will receive SSO configuration information from this primary instance. For more information, see Manage multi-tenant SSO.
After setting up SSO on the first tenant, be sure to enable and test SSO. Log in using SSO as the other procedures direct.
On the Single Sign-On (SSO) page of your configured tenant, click Show multi-tenant configuration.
Copy the Connection ID string.
Disable the authentication provider.
For OIDC:
Navigate to Settings > Single Sign-On and click View Configuration, then click Disable.
For PingFederate:
Navigate to Settings > Single Sign-On and click Disable Authentication Provider.
Disabling SSO allows you to log in to your other tenants during the configuration process without SSO attempting to authenticate you with a partially functioning setup.
Note
At this point, no one will be able to log in using SSO. It is important to finish configuring your additional tenants so that users can log in properly.
Log in to Incident Management on your second tenant.
Navigate to Settings > Single Sign-On.
In the Multi-tenant Setup box, click Configure.
In the dialog that opens, paste the Connection ID string in the Connection ID box.
Under Login Domains, enter a domain and click Add Domain.
Repeat for additional domains.
NOTE: You must include at least one login domain. You can add additional login domains at any time.
Click Save and Enable.
Paste the Connection ID and configure at least one login domain as indicated for all tenants sharing the same SSO configuration.
When you have completed configuring SSO on all other applicable tenants, log in to your first tenant from Step 1.
Re-enable the authentication provider:
For OIDC:
On the Single Sign-On page, click View Configuration, then click Enable.
For PingFederate:
On the Single Sign-On page, click Finish Configuration and then re-enable the authentication provider.
This enables SSO for all configured tenants.
(Optional) Configure groups and roles for the additional tenants.
Configuring group and role mappings is an optional, but recommended, step. Keep in mind that if roles are not configured for users, and no default role is set up, then all users who are added to the system via SSO will have administrator permission.
Navigate to Settings > Single Sign-On. Under Role and Group Mapping (Optional), click Edit Mappings.