Configure SSO for OpenID Connect (OIDC)
Moogsoft Cloud supports SSO authentication based on the OpenID Connect (OIDC) protocol. Moogsoft users with the Edit permission to the instance can set up an automated, secure connection with OIDC providers such as Okta, Azure AD, and OneLogin. Moogsoft then whitelists user emails in your login domain, This ensures that your users do not need additional username/password identities to log in.
Note
This feature requires an Advanced subscription plan.
Setting up SSO using OIDC is outside the scope of this documentation. Moogsoft recommends that you refer to the documentation of your OIDC provider such as Auth0, Okta, or OneLogin.
Before you begin
To set up SSO authentication, you must have Edit permission for the Moogsoft instance. See Custom roles permissions reference.
You must have your user profiles set up and verified in your external OIDC provider.
Your OIDC system must provide:
an email address
a scope
a user profile
Familiarize yourself with this procedure for disabling SSO to prevent locking users out of Moogsoft if the SSO configuration fails.
Set up SSO authentication
Open two separate browser windows as follows:
Moogsoft browser — Log in to Moogsoft and navigate to Settings > Single Sign-On (SSO), and then click Configure in the OpenID Connect (OIDC) box..
External browser — Log in to the administration interface of your external OIDC provider.
Copy the following values from the external browser to the Moogsoft browser:
Issuer URL
Client ID
Client Secret
Copy the following from your Moogsoft browser to your external browser:
Login Redirect URL
Under Login Domains, in the Domains field, click Add Domain to add each login domain for your organization.
Click Test to validate the connection.
NOTE: A successful test indicates that Moogsoft was able to successfully authenticate with your OIDC provider.
Click the Configuration tab and complete the optional setup sections:
Note
It is a best practice to complete the rest of your SSO configuration first, test your setup, and then add scopes and mappings after you have confirmed SSO is working correctly.
Additional Scope
Enter a space-separated list of scopes that Moogsoft can request from the external authentication system. This list must include the scopes the system will use for group mapping and any scopes used for other purposes. For example:
preferred_contact location department.Moogsoft automatically adds
openid email profileif these scopes are not provided.Important
After adding additional scopes, click Test at the top of the page to ensure that your SSO configuration still works. If it does not, then there is an issue with your scopes.
Role Mappings
Map each claim value to the corresponding Moogsoft role.
NOTE: You can create custom roles in Moogsoft to map to your SSO roles. See Custom roles for details.
Click Add Role Mapping.
In the Add Role Mapping dialog, enter the Role Claim Key and the Role Claim Value in the indicated fields.
Click Select Role and, from the list that opens, select the Moogsoft role to map to the selected Claim Value.
Click Add Mapping.
Group Mappings
Under Group Mappings, map your group claim values to Moogsoft groups. To map an SSO group to a Moogsoft group, you must first create the target group in Moogsoft. For information on creating user groups for SSO, see Add groups to use with SSO.
Click Add Group Mapping.
In the Add User Group Mapping dialog, enter the Group Claim Key, and the Group Claim Value in the indicated fields.
Click Select User Group and, from the list that opens, select the Moogsoft group to map to the selected Claim Value.
Click Add Mapping.
Click Save to save your changes.
Click Enable to enable single sign on.
Configure SSO to support multiple tenants
If you have multiple Moogsoft instances and want to use the same SSO configuration with all of them, you must complete an additional procedure for supporting multiple tenants.