SSO Configuration

A user with administrative privileges on Robust Intelligence can configure single sign-on (SSO) to integrate with an external identity provider. Robust Intelligence supports the OpenID Connect (OIDC) authentication protocol.

Note the following limitations on SSO users:

  • You cannot perform administrative operations while logged as an SSO user. Use a Robust Intelligence administrator account, instead.

  • SSO users must log in at least once before you can assign them membership in a workspace.

Configuring SSO

  1. Sign in with a user account that has administrative privileges.

  2. In the Workspaces page, click the Settings icon in the lower left.

  3. In the Organization Settings page, click SSO Configuration.

  4. In the SSO Configuration pane, type the Client ID OIDC.

  5. Type the Client Secret for OIDC.

  6. In Issuer URL, type the URL of the OIDC issuer.

  7. Click Save.

After completing these steps, your Robust Intelligence instance is configured to use SSO authentication.

Identity Provider Setup

Robust Intelligence supports all OIDC providers. For convenience, the following sections provide specific instructions for individual providers.

  • Callback URL: https://rime.{domain}/v1/auth/oidc/callback

    • When this URL is not valid, attempting to log in results in a 403 Forbidden HTTP status code.

  • Signout URL: https://rime.{domain}/sign-out.

Azure Active Directory

Register a new application with a Web platform configuration using the callback and signout URLs above.

The Issuer URL for Robust Intelligence takes the form https://login.microsoftonline.com/{tenant}/v2.0.

For more information, see the Azure AD documentation.

Okta

Create a new App Integration using the OIDC - OpenID Connect sign-in method and Web Application type.

When configuring the web app integration, select the Implicit (hybrid) grant type, and then use the callback and signout URLs described above.

Be sure to select your Okta URL (https://{organization}.okta.com) as the Issuer URL.

After completing the setup, retrieve the Issuer URL, Client ID, and Client Secret from the application overview page.

For more information, see the Okta documentation.

AWS Cognito (User Pools)

Create a new Cognito User Pool for the application. Configure settings as desired, but be sure to enable the Cognito Hosted UI.

Create an initial app client using the callback URL from above, and generate a client secret. Under Advanced app client settings, select the following settings:

  • Under “OAuth 2.0 grant types”, select Authorization code grant.

  • Under “OpenID Connect scopes”, select Email, OpenID, and Profile.

After creating the user pool, retrieve the Client ID and Client secret from the App client overview page in the AWS Cognito console.

The Issuer URL for Robust Intelligence takes the form https://cognito-idp.{region}.amazonaws.com/{user-pool-id} (reference).

For more information, see the AWS Cognito documentation.