RealTheory supports user log in through Single Sign-On (SSO) for the following identity providers who support OAuth 2.0 with OpenID Connect (OIDC):
- Okta
- Microsoft Entra
- Google Identity Platform (IDP)
Prerequisites
To set up SSO, you must have the following:
- An SSO identity provider that supports the OAuth 2.0 with OpenID Connect (OIDC)
For more information, see:
Okta: See https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type
Microsoft Entra: See https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc
Google Identity Platform (IDP): See https://cloud.google.com/identity-platform/docs/web/oidc - A RealTheory integration with your selected SSO identity provider, set up as an OIDC Web App and with the Authorization Code grant type. The OAuth Callback URL can be found in Settings > Identity in the RealTheory console
Okta Example: See https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/#set-up-your-app, where Proof Key for Code Exchange (PKCE) must not be enabled - Either the sys_admin role or the sso_admin role assigned to your user account
- Certain information about your identity provider such as your client ID and secret, the authorization URL, and the access token URL
Procedure
-
Navigate to Settings > Identity.
-
Complete the following information:
Field Description Required Name Name for your SSO - OAuth 2.0 profile Yes Description Comments that will help you remember the purpose and scope of the configuration No OAuth Authorize URL The identity provider endpoint where users initiate the authorization process Yes OAuth Access Token URL The identity provider endpoint where RealTheory sends a request to exchange the authorization code for an access token Yes Client ID Client ID issued by your identity provider Yes Client Secret Client secret associated with your client ID Yes -
Currently, the only supported Grant Type is
authorization_code; this value should be selected by default. -
In Scope, select the appropriate options based on the identity provider you are using:
Identity Provider Select Okta openid (selected by default) Microsoft Entra openid (selected by default) Google Identity Platform (IDP) openid (selected by default) and email -
In Default Group Membership, click Add to select which group(s) new users must be added to by default.
Note: This group assignment is a default assignment; manage each user's group assignment(s) in Settings > Team > Groups or through your identity provider in the More Options section (see Step 6). -
(Optional) To assign users to groups and/or roles automatically based on values from your identity provider, expand the More Options section.
-
(Optional) In Process Group Claims complete the following information:
Field Description Process Group Claims Enables processing of group claims from your identity provider to manage user group assignments Group Claim Name The name of the group claim in your identity provider token e.g., groups OIDC Admin Group Name The name of the admin group claim in your identity provider token e.g., admins Create groups from group claims When enabled, automatically creates RealTheory groups that match the values in the group claim Create group memberships from group claims When enabled, automatically assigns users to groups in RealTheory that match the group claim values Note: You must select at least one of Create groups from group claims or Create group memberships from group claims.
-
(Optional) In Process Role Claims complete the following information:
Field Description Process Role Claims Enables processing of role claims from your identity provider to manage user role assignments Role Claim Name The name of the role claim in your identity provider token e.g., roles Create role assignments from role claims When enabled, users are assigned roles in RealTheory based on the values returned in the role claim -
Verify the provided information and then click Configure SSO - Provider.
Users can now use SSO to sign in to RealTheory.