Skip to main content

Setting up SSO with OpenID Connect

The Single Sign On (SSO) feature allows multiple people at your company to securely log into and administer your Managed Nebula network, using your OpenID Connect (OIDC) identity provider. This means that there is no separate password for them to manage, and onboarding/offboarding employees is a snap. You can also limit the group of people who have access to Defined Networking directly in your identity provider. This guide will walk through the process of setting up SSO in Managed Nebula.

Requirements

To use the SSO feature of Defined Networking you will need:

  • The ability to create a new application in your OIDC Identity Provider (IDP)
  • A Defined Networking account

Caveats

While administrators authenticating with SSO are able to perform most actions, they are unable to modify the account’s SSO configuration. For this, you will need to log in with a magic link and TOTP authenticator as you do today.

Configuration

Ready to set up SSO on your account? Let’s get started!

First, login to your Defined Networking account and navigate to the Single Sign-On page.

Next, login to your identity provider and create a new OIDC application. Begin configuration by copying the Sign-in Redirect URL from the Single Sign-On page of the Defined Networking admin panel to your identity provider. If asked to specify a grant type, choose “Authorization Code.” You may also need to explicitly allow the “email” OIDC scope. The screenshot below is an example of what this might look like within your IDP, though each provider will differ.

Form showing our callback inputted into a field named "Sign-in Redirect URLs"

Once your application is created you’ll need to find three pieces of information from within your identity provider and copy them into the configuration page of your Defined Networking admin panel: Client ID, Client Secret, and the Issuer URL.

Form for creating a new SSO integration that requires a Client ID, a Client Secret, and an Issuer URL

Now click “Save” and if everything was entered correctly you will see your new OIDC provider enabled and ready to accept logins!

Saved SSO integration that shows a sign-on URL, and a details for a configured identity provider

To verify your setup, find the Sign-on URL listed at the top of the page, paste it into your browser and complete the sign-in. After landing back in your Defined Networking account you will be able to see the authentication in your logs, just like any other authentication!

Audit logs that read "john@johnmaguire.me successfully authenticated using SSO"

Congratulations on configuring SSO for your Managed Nebula network!

On this page