Link Search Menu Expand Document

OIDC Configuration

With OIDC based SSO configured, all users invited to SafeStack can sign in using their company’s OIDC backed identity. This document describes how to set up your identity providers OIDC capabilities to authenticate your users on SafeStack.

Users will need to be invited to your SafeStack organisation before they can sign in using OIDC. SCIM support to auto manage your organizations users through your identity system is not yet supported.

Azure AD

If you use Azure AD as your identity provider, you can use its OIDC capabilities to enable SSO with SafeStack, using the OpenID Connect Client-Initiated Backchannel Authentication Flow.

You will need to set up an App Registration for the relevant Azure Active Directory tenant. The following instructions must be performed in Azure, the SafeStack team can provide assistance if needed. The instructions below are a simplified version of the official Auth0 documentation

Step 1: Registering an application

For detailed information, check out the Official Microsoft documentation on registering an app.

  1. Sign in to the Azure Portal
  2. If you have access to multiple tenants, choose the desired tenant from the Directories + subscriptions filter
  3. Navigate to the Azure Active Directory service
  4. Note down the Tenant ID that is shown in the basic information
  5. Navigate to the Manage > App Registrations screen
  6. Click + New registration to begin the process of integrating Auth0
  7. Choose a relevant display name (e.g. SafeStack Auth0 Integration), and specify which AD’s have access
  8. Set two redirect URI’s, for platform type Web:
    1. https://learn-safestack-io.au.auth0.com/login/callback
    2. https://auth.learn.safestack.io/login/callback
  9. Click Register, then note down the Application (client) ID that is generated

Step 2: Generate a client secret

For detailed information, check out the Official Microsoft documentation on generating client secrets.

  1. After registering an application in Azure AD, navigate toManage > Certificates & secrets
  2. Click + New client secret
  3. Enter a relevant description and choose a preferred expiration time (max of 12 months recommended)
  4. Click Add, then note down the secret's value that is generated

Important!

The secret's value will never show again after this initial setup.

Step 3: Validate permissions

For detailed information, check out the Official Microsoft documentation on adding permissions.

  1. After generating a client secret in Azure AD, navigate to Manage > API permissions
  2. Make sure that the Microsoft Graph -> User.Read API/Permission name is included with type set to Delegated

Step 4: Get in touch with us

Get in touch with us with the following information that you would have noted down from previous steps:

  • Your tenant ID (or your Issuer URL that ends in .well-known/openid-configuration)
  • Application (client) ID
  • Client Secret
  • Whether our application in Azure AD is set up as a single-tenant or a multi-tenant application

Because this information is sensitive, we recommend that you use your organization’s preferred way of sharing secrets with third parties or vendors. This could include using a service like OneTimeSecret or the secret sharing functionality offered by your password manager.

Please share this information with sso@safestack.io and we’ll handle the rest!