Guide for Single Sign-On (SSO)

This guide walks you through configuring Single Sign-On (SSO) using OpenID Connect (OIDC) (opens in a new tab) with Oso. This feature is available for Growth plan customers and allows you to integrate identity providers like Okta (opens in a new tab) or Microsoft Entra (opens in a new tab) to authenticate users.

What is Single Sign-On (SSO)?

Single Sign-On (SSO) is a secure user authentication process that allows users to log into multiple applications using a single set of credentials. By integrating SSO, you streamline the login process and improve security for your users. Oso's SSO is based on OpenID Connect (OIDC) (opens in a new tab) and built on top of OAuth 2.0 (opens in a new tab).

đź’ˇ

Before starting this process, you should contact your Oso team to assist you through the process as some steps require a team member to configure on our end.

This article covers:

Prerequisites for SSO

How to configure SSO for Okta

Step 1: Create an OIDC application in Okta

  1. Log into your Okta Admin Console.
  2. Navigate to Applications → Create App Integration.
  3. Select OIDC - OpenID Connect as the sign-on method.
  4. Set Application Type to Web Application.
  5. Configure the new Application
    • Ensure Authorization Code is checked in Core grants, and no other grants are needed.
    • Sign-in redirect URIs, add https://ui.osohq.com/web/oauth/oidc/callback.
    • Logout redirect URIs, add https://ui.osohq.com/.
    • Under Assignments, choose whether you want all of your users to access Oso or only specific users or groups. Oso still requires users to be invited to the Oso Organization, but you can limit access to certain users or groups.
  6. Configure other settings as needed, then click Save.

Step 2: Retrieve Okta OIDC information

  1. After saving the application, go to the General tab of your new app.
  2. Copy the following values to use in Oso in the next step:
    • Client ID
    • Client Secret
    • Issuer URL

Step 3: Provide Oso with the required information

Oso does not support self-service SSO creation today and this must be done by a team member.

Once you've created the Okta Application, please reach out to an Oso team member to assist you in finalizing the single sign-on (SSO). You need to provide Oso with:

  1. Your OIDC discovery URL in Okta: Eg. https://trial-8895628.okta.com/.well-known/openid-configuration
  2. The Client ID for the Application you just created.
  3. The Client Secret for the Application you just created.
  4. A preferred customer ID. This is a short 3-5 character ID that you will use during SSO. Eg. acme

Once Oso confirms the creation, follow the Signing in with SSO step to finish signing up.

How to configure SSO for Microsoft Entra

Step 1: Create an OIDC application in Microsoft Entra

  1. Log into the Azure portal.
  2. Navigate to Microsoft Entra ID.
  3. Select Manage -> App Registrations.
  4. Click New registrations.
  5. Provide a name for the app and select the supported account types (e.g., single tenant or multi-tenant).
  6. Under Redirect URI, select Web as the platform and enter for the callback URL https://ui.osohq.com/web/oauth/oidc/callback.
  7. Click Register to create the app.

Step 2: Configure the app

  1. After the app is created, navigate to Certificates & Secrets to generate a Client Secret.
  2. Go to Overview and copy the Client ID.
  3. Go to Endpoints and copy the OpenID Connect metadata document URL (Issuer URL).

Step 3: Provide Oso with the required information

Oso does not support self-service SSO creation today and this must be done by a team member.

Once you've created the Entra Application, please reach out to your Oso team member to assist you in finalizing the single sign-on (SSO). You need to provide Oso with:

  1. Your OIDC discovery URL in Entra: Eg. https://login.microsoftonline.com/831b434f-61e7-48d5-90ee-c4dd0fd52252/v2.0/.well-known/openid-configuration
  2. The Client ID for the Application you just created.
  3. The Client Secret for the Application you just created.
  4. A preferred customer ID. This is a short 3-5 character ID that you will use during SSO. Eg. acme

Once Oso confirms the creation, follow the Signing in with SSO step to finish signing up.

Signing in with SSO

Navigate to https://ui.osohq.com/ (opens in a new tab) and select Log in with SSO.

Oso will prompt you to enter your Customer ID, which is either the ID you selected or the one provided to you by your Oso team member. Once you click “Continue,” the sign-in flow will begin, redirecting you to your identity provider for authentication. After the successful authentication, you’ll be returned to Oso to complete the process.

đź’ˇ

Single sign-on (SSO) with Oso does not automatically add SSO users to your organization’s production environments. An admin in your organization will still need to invite new users manually. When inviting a user, ensure that the email address or identifier matches the one in your identity provider (e.g., user@example.com). This ensures a seamless login experience for the invited user.