Skip to main content
All CollectionsAdministration of ArdoqSSO Management
Setting up Single Sign-on using OpenID Connect or OAuth2
Setting up Single Sign-on using OpenID Connect or OAuth2

Learn how to get started with Single Sign-on using OAuth2 or OpenID Connect, with an example from the identity provider Okta

Kristine Marhilevica avatar
Written by Kristine Marhilevica
Updated over a week ago

This guide explains how to get started with Single Sign-on (SSO) using OAuth2 or OpenID Connect. The topics covered, in order:

  1. Requirements and supported features

  2. What information should be sent to Ardoq, and where to find it

  3. Example on how to configure the application in your identity provider

Requirements and supported features

To use this method, your organization must be on a subdomain (example: https://<your-organization>.ardoq.com).

NOTE: Reach out to your CSM or ask support to create a subdomain or do the subdomain change. Remember to send the current organization's name in Ardoq and the subdomain you would like to use instead of "app" in the link https://app.ardoq.com. Please be aware that the links to earlier sent-out surveys and presentations, bookmarks to workspace, etc. will be inaccessible and will e.g. need to be changed manually by the end-user.

This method supports "Just-in-time provisioning", which means that users will have an Ardoq account created automatically the first time they log in, and they will be assigned a default role.

However, this method does not support role assignment from the identity provider, so a new user will always be assigned the default role. Our SAML SSO integration supports passing in an assignedRoles-attribute to manage roles from the identity provider if this is something you require.

What information to send to Ardoq

Once you are done setting up the SSO-application in your identity provider, you need to send the following information to Ardoq so that we can finish up the configuration on our end:

  1. The "client id"

  2. The "client secret"

  3. The "well-known" configuration URL (example from Okta here)

Send the information to your Customer Success Manager and support@ardoq.com. We will then make the necessary configuration on our side and get back to you within two working days. If you have multiple organizations (for example a sandbox environment), also let us know which organization you want to set up SSO for.

Where to find the information

The client id and secret can be found in the Application details page, in the "General"-tab:

Ardoq client id

Check with your identity provider to find the "well-known" configuration URL! For Okta, for example, the URL is documented here. It will generally look something like this:

https://<your-okta-instance>.okta.com/.well-known/openid-configuration

Setting up the application: Example using Okta

We will now demonstrate how you can configure the SSO-application in the identity provider Okta.

Overview

  1. Create a new App Integration

  2. Add the necessary "sign-in" URLs (redirect and login)

  3. Assign users

Create a new app integration

To get started, select "Create App Integration" on the Applications page. In this example, we select the "OpenID Connect" sign-on method, and the "Web Application" Application type:

Ardoq create new integration

Next, we add the "sign-in redirect URI", which will be the following for OpenID:

https://<your-ardoq-organization>.ardoq.com/oauth/callback/oic

Or the following for Oauth2

https://<your-ardoq-organization>.ardoq.com/oauth/callback/oauth2
ardoq new web app integration

If you also want to be able to initiate login from Okta as well as Ardoq, we also need to add the "Initiate login URI", which will be the following for OpenID:

https://<your-ardoq-organization>.ardoq.com/oauth/login/oic

or the following for Oauth2

https://<your-ardoq-organization>.ardoq.com/oauth/login/oauth2

Set the "login flow" so that login requests are redirected to Ardoq:

ardoq login flow

When we want to be able to initiate login from Okta, we also need to add the "Implicit" grant type:

ardoq application integration

That's it! πŸŽ‰ The next step is to write down the client id, client secret, and the "well-known" configuration URL and forward it to your Customer Success Manager. We will then complete the configuration on our end, and you will then be able to log in with your new Okta-application.

Did this answer your question?