This guide explains how to get started with Single Sign-on (SSO) using OAuth2 or OpenID Connect. The topics covered, in order:
Requirements and supported features
What information should be sent to Ardoq, and where to find it
Example on how to configure the application in your identity provider
Requirements and supported features
To use this method, your organization must be on a subdomain (example: https://<your-organization>.ardoq.com).
NOTE: Reach out to your CSM or ask support to create a subdomain or do the subdomain change. Remember to send the current organization's name in Ardoq and the subdomain you would like to use instead of "app" in the link https://app.ardoq.com. Please be aware that the links to earlier sent-out surveys and presentations, bookmarks to workspace, etc. will be inaccessible and will e.g. need to be changed manually by the end-user.
This method supports "Just-in-time provisioning", which means that users will have an Ardoq account created automatically the first time they log in, and they will be assigned a default role.
However, this method does not support role assignment from the identity provider, so a new user will always be assigned the default role. Our SAML SSO integration supports passing in an assignedRoles-attribute to manage roles from the identity provider if this is something you require.
What information to send to Ardoq
Once you are done setting up the SSO-application in your identity provider, you need to send the following information to Ardoq so that we can finish up the configuration on our end:
The "client id"
The "client secret"
The "well-known" configuration URL (example from Okta here)
Send the information to your Customer Success Manager and support@ardoq.com. We will then make the necessary configuration on our side and get back to you within two working days. If you have multiple organizations (for example a sandbox environment), also let us know which organization you want to set up SSO for.
Where to find the information
The client id and secret can be found in the Application details page, in the "General"-tab:
Check with your identity provider to find the "well-known" configuration URL! For Okta, for example, the URL is documented here. It will generally look something like this:
https://<your-okta-instance>.okta.com/.well-known/openid-configuration
Setting up the application: Example using Okta
We will now demonstrate how you can configure the SSO-application in the identity provider Okta.
Overview
Create a new App Integration
Add the necessary "sign-in" URLs (redirect and login)
Assign users
Create a new app integration
To get started, select "Create App Integration" on the Applications page. In this example, we select the "OpenID Connect" sign-on method, and the "Web Application" Application type:
Next, we add the "sign-in redirect URI", which will be the following for OpenID:
https://<your-ardoq-organization>.ardoq.com/oauth/callback/oic
Or the following for Oauth2
https://<your-ardoq-organization>.ardoq.com/oauth/callback/oauth2
If you also want to be able to initiate login from Okta as well as Ardoq, we also need to add the "Initiate login URI", which will be the following for OpenID:
https://<your-ardoq-organization>.ardoq.com/oauth/login/oic
or the following for Oauth2
https://<your-ardoq-organization>.ardoq.com/oauth/login/oauth2
Set the "login flow" so that login requests are redirected to Ardoq:
When we want to be able to initiate login from Okta, we also need to add the "Implicit" grant type:
That's it! π The next step is to write down the client id, client secret, and the "well-known" configuration URL and forward it to your Customer Success Manager. We will then complete the configuration on our end, and you will then be able to log in with your new Okta-application.