Skip to main content

Configure SSO using OpenID Connect (OIDC)

Use OIDC for seamless SSO set up to simplify login management with members of your entity

Lisa van Oudtshoorn avatar
Written by Lisa van Oudtshoorn
Updated over 8 months ago

Configure SSO on Capcade using OIDC

You can configure single sign-on (SSO) using OpenID Connect (OIDC), built on top of the OAuth 2.0 protocol, to enable users to use a single security credential, from your identity provider (IdP), to seamlessly authenticate on Capcade.

Prerequisites

Before you get started, ensure you have the following:

  • Identity provider (IdP)

    • Your IdP must be OIDC-compliant

    • Your OIDC-compliant identity provider should have optional multi-factor authentication (MFA). Details about setting up AWS Cognito as identity provider will be described in this guide.

  • Features and permissions on Capcade

    • Your organization's plan must have the OpenId Connect feature enabled (contact your Capcade account representative or support@capcade.com to request access)

    • The person configuring SSO must have "Edit organization info" permission enabled for themselves (learn how organization permissions work in this guide)

Configuration

Step 1 – Proceed to entity settings on Capcade

  • Open your entity settings on Capcade manually or by clicking following link

  • Scroll down to the "Single sign-On" section and toggle it on

  • Click the “Edit” button to open the configuration form

  • In the configuration form, choose your “Name”. This name will be displayed at the login prompt as "Continue with <Name>" for all users in your entity on Capcade

  • Copy your unique "Registration ID”

Step 2 – Create a user pool with client application on your identity provider (IdP)

💡If you already actively use OIDC for authentication, proceed to step 3.

Create an OpenID Connect (OIDC) application configured with authorization code grant type in your identity provider (IdP). The following are some links to help you get started:

As previously mentioned, setting up AWS Cognito as identity provider will be described in this guide.

Go to your amazon web services console and search for Cognito service. After that, find user pools and initiate creation of user pool.

  1. Configure sign-in experience

    1. For provider type choose "Cognito user pool"

    2. For Cognito user pool sign-in options choose "email"

  2. Configure security requirements

    1. Choose "No MFA" or set up MFA

    2. Everything else is optional

  3. Configure sign-up experience

    1. Everything is optional, proceed to next step

  4. Configure message delivery

    1. Setup according to your needs, for minimal setup choose "Send email with Cognito"

  5. Integrate your app

    1. Choose an optional user pool name

    2. Turn on "Use the Cognito Hosted UI" option

    3. At Cognito domain under "Domain" choose your unique domain url for sign-up

    4. At "Initial app client" choose "Confidential" or "Other" for App type

    5. At "App client name" write Capcade

    6. At "Client secret" choose "Generate a client secret"

    7. At "Allowed callback URLs", add https://api.capcade.com/openIdConnect/login/YOUR_UNIQUE_REGISTRATION_ID

  6. Review and create

    1. Review your settings and finish creation

You can now find your new pool in "User pools" and access it.

In the "Users" section, you should invite users that you want to have access to Capcade - you will need to manually invite yourself as well.

Step 3 – Create a client application for existing user pool

  1. Open your user pool

  2. Go to "App Integration"

  3. Create a new client

  4. At "Initial app client" choose "Confidential" or "Other" for App type

  5. At "App client name" write “Capcade”

  6. At "Client secret" choose Generate a client secret

  7. At "Hosted UI settings" in Allowed callback URLs add https://api.capcade.com/openIdConnect/login/YOUR_UNIQUE_REGISTRATION_ID

Step 4 – Obtain credentials from your IdP needed for authentication on Capcade

In this step, we need to obtain Provider Url, Client ID and Client Secret from your user pool.

  1. In your user pool, at User pool overview copy Token signing key URL, and replace the last part jwks.json with openid-configuration. This will be your Provider URL in OpenId Connect configuration on Capcade

  2. Go to App Integration and find your previously created App Client with name Capcade

  3. Under App client information you can find Client ID and Client secret needed for finishing the configuration

To learn more about organization and profiles, visit the collection of articles in our help guide.

Organization and Profiles

Did this answer your question?