SSO configuration

A user with administrative privileges on Robust Intelligence can configure single sign-on (SSO) to integrate with an external identity provider. Robust Intelligence supports the OpenID Connect (OIDC) authentication protocol.

Note: Administrative operations cannot be performed while logged in using SSO.

User accounts configured to use SSO cannot be assigned membership in a workspace before logging in with SSO once.

Configuring SSO

  1. Sign in to a user account that has administrative privileges. } The Workspaces page appears.

  2. Click the Settings icon in the lower left. } The Organization Settings page appears.

  3. Click SSO Configuration. } The SSO Configuration pane appears.

  4. In Client ID, type the client ID for OIDC.

  5. In Client Secret, type the client secret for OIDC.

  6. In Issuer URL, type the URL of the OIDC issuer.

  7. Click Save.

After completing these steps, your Robust Intelligence instance should now be configured to use SSO authentication.

Identity Provider Setup

Robust Intelligence supports all OIDC providers. For convenience, the following sections provide specific instructions for individual providers.

  • Callback URL: https://rime.{domain}/v1/auth/oidc/callback

    • When this URL is not valid, attempting to log in results in a 403 Forbidden HTTP status code.

  • Signout URL: https://rime.{domain}/sign-out.

Azure Active Directory

Register a new application with a Web platform configuration using the callback and signout URLs above.

The Issuer URL for Robust Intelligence takes the form https://login.microsoftonline.com/{tenant}/v2.0.

For more information, see the Azure AD documentation.

Okta

Create a new App Integration using the OIDC - OpenID Connect sign-in method and Web Application type. Use the callback and signout URLs described above.

After creating the application, retrieve the Client ID and secret from the application overview page.

The Issuer URL for Robust Intelligence takes the form https://{organization}.okta.com.

For more information, see the Okta documentation.

AWS Cognito (User Pools)

Create a new Cognito User Pool for the application. Configure settings as desired, but be sure to enable the Cognito Hosted UI.

Create an initial app client using the callback URL from above, and generate a client secret. Under Advanced app client settings, select the following settings:

  • Under “OAuth 2.0 grant types”, select Authorization code grant.

  • Under “OpenID Connect scopes”, select Email, OpenID, and Profile.

After creating the user pool, retrieve the Client ID and Client secret from the App client overview page in the AWS Cognito console.

The Issuer URL for Robust Intelligence takes the form https://cognito-idp.{region}.amazonaws.com/{user-pool-id} (reference).

For more information, see the AWS Cognito documentation.