Skip to main content

Configure SSO for OpenID Connect (OIDC)

APEX AIOps Incident Management supports SSO authentication based on the OpenID Connect (OIDC) protocol. Incident Management users with the Edit permission to the instance can set up an automated, secure connection with OIDC providers such as Okta, Azure AD, and OneLogin. Incident Management then whitelists user emails in your login domain, This ensures that your users do not need additional username/password identities to log in.

Note

  • This feature requires an Advanced subscription plan.

  • Setting up SSO using OIDC is outside the scope of this documentation. Incident Management recommends that you refer to the documentation of your OIDC provider such as Auth0, Okta, or OneLogin.

Before you begin

  • To set up SSO authentication, you must have Edit permission for the Incident Management instance. See Custom roles permissions reference.

  • You must have your user profiles set up and verified in your external OIDC provider.

    Your OIDC system must provide:

    • an email address

    • a scope

    • a user profile

  • Familiarize yourself with this procedure for disabling SSO to prevent locking users out of Incident Management if the SSO configuration fails.

Set up SSO authentication

  1. Open two separate browser windows as follows:

    • Incident Management browser — Log in to Incident Management and navigate to Settings > Single Sign-On (SSO), and then click Configure in the OpenID Connect (OIDC) box..

    • External browser — Log in to the administration interface of your external OIDC provider.

  2. Copy the following values from the external browser to the Incident Management browser:

    • Issuer URL

    • Client ID

    • Client Secret

  3. Copy the following from your Incident Management browser to your external browser:

    • Login Redirect URL

  4. Under Login Domains, in the Domains field, click Add Domain to add each login domain for your organization.

  5. Click Test to validate the connection.

    NOTE: A successful test indicates that Incident Management was able to successfully authenticate with your OIDC provider.

  6. Click the Configuration tab and complete the optional setup sections:

    Note

    It is a best practice to complete the rest of your SSO configuration first, test your setup, and then add scopes and mappings after you have confirmed SSO is working correctly.

    1. Additional Scope

      Enter a space-separated list of scopes that Incident Management can request from the external authentication system. This list must include the scopes the system will use for group mapping and any scopes used for other purposes. For example: preferred_contact location department.

      Incident Management automatically adds openid email profile if these scopes are not provided.

      Important

      After adding additional scopes, click Test at the top of the page to ensure that your SSO configuration still works. If it does not, then there is an issue with your scopes.

    2. Role Mappings

      Map each claim value to the corresponding Incident Management role.

      NOTE: You can create custom roles in Incident Management to map to your SSO roles. See Custom roles for details.

      1. Click Add Role Mapping.

      2. In the Add Role Mapping dialog, enter the Role Claim Key and the Role Claim Value in the indicated fields.

      3. Click Select Role and, from the list that opens, select the Incident Management role to map to the selected Claim Value.

      4. Click Add Mapping.

    3. Group Mappings

      Under Group Mappings, map your group claim values to Incident Management groups. To map an SSO group to an Incident Management group, you must first create the target group in Incident Management. For information on creating user groups for SSO, see Add groups to use with SSO.

      1. Click Add Group Mapping.

      2. In the Add User Group Mapping dialog, enter the Group Claim Key, and the Group Claim Value in the indicated fields.

      3. Click Select User Group and, from the list that opens, select the Incident Management group to map to the selected Claim Value.

      4. Click Add Mapping.

  7. Click Save to save your changes.

  8. Click Enable to enable single sign on.

Configure SSO to support multiple tenants

If you have multiple Incident Management instances and want to use the same SSO configuration with all of them, you must complete an additional procedure for supporting multiple tenants.

In this section: