Skip to main content

Manage multi-tenant SSO

APEX AIOps Incident Management supports multi-tenant SSO configurations across several Incident Management instances. For setup information, see Configure SSO to support multiple tenants.

The first instance configured in a multi-tenant setup (the primary) controls SSO for the other instances. When you select the multi-tenant option for additional instances, they receive the SSO configuration from the primary.

Because of this dependency, it is very important that you perform any later configuration changes from the right location. Making a change from the wrong location could negatively impact the SSO setup for all instances.

Make these changes from the primary only
  • Enabling and disabling SSO. This also impacts all multi-tenant instances.

  • Updating an expired SSO certificate

  • Making changes in Auth provider details, such as the issuer ID, the client ID, or the client secret

  • Login domains, role mappings and group mappings applicable only to the primary instance

Make these changes from the multi-tenant instances
  • Role and group mappings applicable to a multi-tenant instance

  • Login domains applicable to a multi-tenant instance

Note

Some updates on the primary result in changes to the Configuration ID. When the Configuration ID changes, you must repeat copying and pasting it to the multi-tenant instances. Only changes which require rebuilding the connection on the primary cause the Connection ID to change.

If you are unsure whether you need to update your multi-tenant Connection IDs, compare the current Connection ID on a multi-tenant instance with the primary. When there is a mismatch, you must update the multi-tenant Connection IDs.

Important

Use caution when replacing the Connection ID on multi-tenant instances. Improperly replacing the ID could result in SSO failure for all instances.