Single Sign-On

OpenGovernance supports a wide range of Identity Providers for user authentication. This guide covers the IDPs we’ve successfully integrated with. Since we use OIDC standards, you can also integrate any OIDC-compliant IDP.

Walkthrough

Step 1: Log in to the Azure Portal with an Administrator account. Navigate to Azure Active Directory > App registrations > New registration.

Name: Enter "OpenGovernance SSO".
Supported account types: Choose based on your requirements.
Redirect URI: Select Web and enter your OpenGovernance callback URL (e.g., https://demo.opengovernance.io/callback).
Click Register.

Step 2: In the Overview section of your newly registered app, copy the Application (client) ID and Directory (tenant) ID for later use.

Step 3: Go to Certificates & secrets in the left menu.

Click New client secret.
Description: Enter a descriptive name (e.g., OpenGovernance SSO Secret).
Expires: Select an appropriate expiration period.
Click Add and copy the Client Secret immediately as it will be hidden later.

Step 4: Navigate to API permissions > Add a permission > Microsoft Graph > Delegated permissions.

Select permissions such as openid, profile, and email.
Click Add permissions.
Click Grant admin consent for [Your Organization] to approve the permissions.

Step 5: Assign users to the application:

Navigate to Enterprise applications > OpenGovernance SSO.
Go to Users and groups and click Add user/group.
Select the users or groups to assign and click Assign.

Add Client ID, Tenant ID, Client Secret in OpenGovernance -> Administration -> SSO

Step 1: Log in to the Google Cloud Console with an Administrator account. Navigate to APIs & Services > Credentials > Create Credentials > OAuth client ID.

Application Type: Select Web application.
Name: Enter "OpenGovernance SSO".
Authorized Redirect URIs: Enter your OpenGovernance callback URL (e.g., https://demo.opengovernance.io/callback).
Click Create.

Step 2: After creation, copy and save the Client ID and Client Secret displayed. These will be used in OpenGovernance configuration.

Step 3: Configure the OAuth consent screen:

Navigate to APIs & Services > OAuth consent screen.
User Type: Select Internal (if only for your organization) or External.
App Information: Enter the App name (e.g., OpenGovernance SSO), User support email, and other required details.
Scopes: Add necessary scopes such as openid, email, and profile.
Click Save and Continue until the setup is complete.

Step 4: Assign users to the application:

Navigate to Google Workspace Admin Console > Apps > Web and mobile apps.
Click Add App > Add custom SAML app (even though we're using OIDC, this step ensures user assignment).
App Name: Enter "OpenGovernance SSO".
User Assignment: Select the users or groups to grant access to OpenGovernance SSO.
Click Save.

Step 5: Configure OpenGovernance with Google Workspaces credentials:

In OpenGovernance, navigate to the SSO Configuration section.
Select OIDC Type: Google Workspace
Client ID: Enter the Client ID copied earlier.
Client Secret: Enter the Client Secret copied earlier.
Click Save to complete the integration.

Step 1: Log in to your Auth0 Dashboard with an Administrator account. Navigate to Applications > Applications and click Create Application.

Name: Enter "OpenGovernance SSO".
Application Type: Select Regular Web Applications.
Click Create.

Step 2: In the Settings tab of your newly created application, configure the following:

Allowed Callback URLs: Enter your OpenGovernance callback URL (e.g., https://demo.opengovernance.io/callback).
Allowed Logout URLs: Enter the logout URL for OpenGovernance (e.g., https://demo.opengovernance.io/logout).
Allowed Web Origins: Enter your OpenGovernance domain (e.g., https://demo.opengovernance.io).
Click Save Changes.

Step 3: Navigate to the Connections tab within your application settings.

Enable the desired identity providers (e.g., Database, Google, Microsoft) that your organization uses.
Configure each connection as needed to ensure users can authenticate using their preferred method.

Step 4: Go to Applications > APIs and click Create API.

Name: Enter "OpenGovernance API".
Identifier: Enter a unique URI (e.g., https://api.opengovernance.io).
Signing Algorithm: Select RS256.
Click Create.

Step 5: Configure OpenGovernance with Auth0 credentials:

In Auth0, navigate back to Applications > OpenGovernance SSO > Settings.
Client ID: Copy and enter the Client ID into OpenGovernance's SSO configuration.
Client Secret: Click Show Secret, copy the Client Secret, and enter it into OpenGovernance.
Domain: Enter your Auth0 domain (e.g., your-tenant.auth0.com).
Audience: Enter the API Identifier you set earlier (e.g., https://api.opengovernance.io).
Redirect URI: Ensure it matches the URI entered during Auth0 setup (e.g., https://demo.opengovernance.io/callback).
Click Save to complete the integration.

Step 1: Log in to your Okta account as an Administrator.

Step 2: In the left navigation, click on Applications, then select Applications from the dropdown.

Step 3: On the Applications page, click the Create App Integration button above the app list.

Step 4:

For Sign on method, select OIDC - OpenID Connect.
For Application type, select Web Application.
Click Next.

Step 5:

Application Name: Enter "OpenGovernance SSO".
Sign-in Redirect URIs: Enter the URI where OpenGovernance is configured to run (e.g., https://demo.opengovernance.io/callback).
Under Assignments, select and configure the best controlled access option to suit your needs.
Click Save.

Step 6:

Click Edit next to General Settings.
Enable Refresh Token.
Click Save. Note: This setting can be updated at any time.

Step 7:

At the top of the General tab, copy and save the Client ID and Client Secret for the Bread & Butter setup below.

Step 8:

Take note of your Okta account URL/Base URL (e.g., https://company1.okta.com/).
You can find this on the Sign On tab, as the Issuer field under OpenID Connect ID Token.

Step 9:

Go to Settings in the left menu.
Click on General OID.
Choose OpenID Connect for the protocol.
Enter a Name and an optional Description.
Using your Okta account URL/Base URL, enter the Login URL, Client ID, and Client Secret.
Click Save.

Step 10:

Add your users to the App. Note: This step can be skipped if you've enabled Federation Broker Mode.

General OIDC Configuration

OpenGovernance SSO works with any OIDC provider. Just ensure the email field is available for seamless integration and user management.

Client ID: Register a new application with your OIDC provider and obtain the Client ID.
Client Secret: Generate and securely store the Client Secret provided by your OIDC provider.
Issuer URL: Retrieve the Issuer URL from your OIDC provider’s configuration or metadata endpoint.
Redirect URI: Configure the Redirect URI in your OIDC provider to point to OpenGovernance's callback URL (e.g., https://demo.opengovernance.io/callback).
Scopes: Ensure necessary scopes such as openid, profile, and email are included for proper authentication.

PreviousDeploy to AWS NextProduction Hardening

Last updated 9 months ago