This guide explains how to get started with Single Sign-on (SSO) using OAuth2 or OpenID Connect. The topics covered, in order:

  1. Requirements and supported features

  2. What information should be sent to Ardoq, and where to find it

  3. Example on how to configure the application in your identity provider

Requirements and supported features

To use this method, your organization must be on a subdomain (example: https://<your-organization>.ardoq.com).

This method supports "Just-in-time provisioning", which means that users will have an Ardoq account created automatically the first time they log in, and they will be assigned a default role.

However, this method does not support role assignment from the identity provider, so a new user will always be assigned the default role. Our SAML SSO integration supports passing in an assignedRoles-attribute to manage roles from the identity provider if this is something you require.

What information to send to Ardoq

Once you are done setting up the SSO-application in your identity provider, you need to send the following information to Ardoq so that we can finish up the configuration on our end:

  1. The "client id"

  2. The "client secret"

  3. The "well-known" configuration URL (example from Okta here)

Send the information to your Customer Success Manager and support@ardoq.com. We will then make the necessary configuration on our side and get back to you within two working days. If you have multiple organizations (for example a sandbox environment), also let us know which organization you want to set up SSO for.

Where to find the information

The client id and secret can be found in the Application details page, in the "General"-tab:

Check with your identity provider to find the "well-known" configuration URL! For Okta, for example, the URL is documented here. It will generally look something like this:

https://<your-okta-instance>.okta.com/.well-known/openid-configuration

Setting up the application: Example using Okta

We will now demonstrate how you can configure the SSO-application in the identity provider Okta.

Overview

  1. Create a new App Integration

  2. Add the necessary "sign-in" URLs (redirect and login)

  3. Assign users

Create a new app integration

To get started, select "Create App Integration" on the Applications page. In this example, we select the "OpenID Connect" sign-on method, and the "Web Application" Application type:

Next, we add the "sign-in redirect URI", which will be the following for OpenID:

https://<your-ardoq-organization>.ardoq.com/oauth/callback/oic

Or the following for Oauth2

https://<your-ardoq-organization>.ardoq.com/oauth/callback/oauth2

If you also want to be able to initiate login from Okta as well as Ardoq, we also need to add the "Initiate login URI", which will be the following for OpenID:

https://<your-ardoq-organization>.ardoq.com/oauth/login/oic

or the following for Oauth2

https://<your-ardoq-organization>.ardoq.com/oauth/login/oauth2

Set the "login flow" so that login requests are redirected to Ardoq:

When we want to be able to initiate login from Okta, we also need to add the "Implicit" grant type:

That's it! 🎉 The next step is to write down the client id, client secret, and the "well-known" configuration URL and forward it to your Customer Success Manager. We will then complete the configuration on our end, and you will then be able to log in with your new Okta-application.

Did this answer your question?