# SSO configuration

A user with administrative privileges on an RI Platform instance can configure
single sign-on (SSO) to integrate with an external identity provider. The RI
Platform supports the OpenID Connect (OIDC) authentication mechanism.

**Note**: Administrative operations cannot be performed while logged in using
SSO.

User accounts configured to use SSO cannot be [assigned membership](rbac.md)
in a workspace before logging in with SSO once.

## Configuring SSO

1.  Sign in to a user account that has administrative privileges for an RI
    Platform instance.
    >    The Workspaces page appears.
2.  Click the *Settings* icon in the lower left.
    >    The Organization Settings page appears.
3.  Click *SSO Configuration*.
    >   The SSO Configuration pane appears.
4.  In *Client ID*, type the client ID for OIDC.
5.  In *Client Secret*, type the client secret for OIDC.
6.  In *Issuer URL*, type the URL of the OIDC issuer.
7.  Click *Save*.

The RI Platform instance is now configured to use SSO authentication.

## Identity Provider Setup

RIME supports all OIDC providers. The following sections provide specific instructions for individual OIDC providers.

Add `https://rime.<domain>/v1/auth/oidc/callback` as a callback URL for the OIDC provider.
When this URL is not valid, attempting to log in results in a 403 Forbidden HTTP status code.

When a signout URL is necessary, use `https://rime.<domain>/sign-out`.

### Azure Active Directory

Register a new application with a **Web** platform configuration using the callback and signout URLs above.

The Issuer URL for RIME takes the form `https://login.microsoftonline.com/{tenant}/v2.0`.

For more information, see the [Azure AD documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri).

### Okta

Create a new App Integration using the **OIDC - OpenID Connect** sign-in method and **Web Application** type. Use the callback and signout URLs described above.

After creating the application, retrieve the Client ID and secret from the application overview page.

The Issuer URL for RIME takes the form `https://<organization>.okta.com`.

For more information, see the [Okta documentation](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm).