Single Sign-On (SSO)
L
Written by Lise
Updated over a week ago

Intigriti supports Single Sign-On (SSO) through OpenID Connect (OIDC) for any identity provider of your choice. It will allow company members to easily and securely access Intigriti with their identity provider credentials.

💡Please note that Intigriti does not sync user information between your
identity provider and the platform.

Activating Single Sign-On

What do I need?

  • An Identity Provider (IdP) adhering to the OpenID Connect (OIDC) protocol.
    OpenID Connect is an identity layer on top of the OAuth 2.0 framework.

  • Your Identity Provider's discovery documentation.

  • A company administrator to configure the SSO settings.

Step-by-step

  • Go to Intigriti > Admin > More > Single Sign-On.

  • Add following Identity Provider information with the help of the discovery documentation:

    • Identity provider name

    • Identity provider URL

    • Client ID

    • Client secret

  • Click Save. You can edit the information as long as the SSO integration is inactive.

  • Ensure that all the necessary configurations on the identity provider side are properly completed.

💡To avoid potential lock-out of a company admin account, we recommend test
driving the SSO integration by having a company member or another company
admin try it out before converting all accounts. This will help ensure a smooth
transition without any unintended consequences.

  • Click Activate.

Once SSO is activated, you can enforce SSO as authentication method by:

  • Converting the authentication method of existing members to SSO on the Company members page.

  • Adding new members with authentication method SSO.

Configuring your identity provider

Please find below a list of the most relevant articles along with additional tips to facilitate integration between our platform and your identity provider.

Okta

  • Create an application using the Okta guide.

    • Sign-in method: OIDC - OpenID Connect

    • Application type: Web application

    • Grant type: Client Credentials

    • Sign-in redirect URIs: < redirect URL >

    • Sign-out redirect URIs: < empty >

    • Base URIs: < empty >

    • Controlled access: < according to your company's policy >

  • Open the earlier created application via Console > Applications > Applications.

  • Go to General > Client Credentials.

  • Retrieve the following information:

    • Client ID

    • Client Secret

  • Go to Sign On > OpenID Connect ID Token.

  • Click Edit.

  • Select Okta URL.

  • Retrieve the Identity Provider URL (the URL between the brackets).

Auth0

  • Create an application using the Auth0 guide.

    • Application name: 'Intigriti'

    • Application type: ✅ 'Regular Web Applications'

  • Open the newly created application.

  • Go to Settings.

  • Retrieve the following information from the Basic information section:

    • Identity provider URL = Domain

    • Client ID

    • Client Secret

Add the Redirect URL provided on the Intigriti SSO Settings page to the Allowed Callback URLs in the Application URIs section:

Azure Active Directory

  • Sign in to Azure.

  • Navigate to Default Directory > Manage: Enterprise applications.

  • Click New application. You will be redirected to the Azure AD Gallery.

  • Click Create your own application.

  • Add the application name: Intigriti SSO.

  • Indicate the application purpose:
    ✅ Integrate any other application you don't find in the gallery (Non-gallery).

  • Click Create.

  • Go to the Default Directory > Manage: App registrations > All applications.

  • Select the earlier created application 'Intigriti SSO' and retrieve following info:

Client ID

  • Stay on the 'Intigriti SSO' Overview page.

  • Retrieve the Client ID here:

Client Secret

  • Stay on the 'Intigriti SSO' overview page.

  • Click Add a certificate or secret.

  • Add the client secret name and expiry date.

  • Click Create.

  • Retrieve the Client Secret here:

Identity provider URL

  • Go to Endpoints.

  • Retrieve the Identity Provider URL here:

Redirect URL

  • Go to Default Directory > Authentication.

  • Click Add a platform.

  • Select platform type: Web application.

  • Add the Redirect URL provided on the 'Intigriti SSO' Settings page.

Deactivating Single Sign-On


Please beware that upon deactivation of SSO:

  • The authentication method of all company members is set back to password.

  • All active converted company members will receive an email request to setup a new password and use this to login from now on.

  • Company members are no longer redirected to your identity provider and can only access Intigriti with their local account credentials.

Step-by-step

  • Go to Intigriti > Admin > More > Single Sign-On.

  • Click Deactivate.

Note that your SSO configuration will remain available, allowing you to easily enable it again in the future if desired.





Did this answer your question?