Setting up SSO with OpenID Connect
The Single Sign On (SSO) feature allows multiple people at your company to securely log into and administer your Managed Nebula network, using your OpenID Connect (OIDC) identity provider. This means that there is no separate password for them to manage, and onboarding/offboarding employees is a snap. You can also limit the group of people who have access to Defined Networking directly in your identity provider. This guide will walk through the process of setting up SSO in Managed Nebula.
Requirements
To use the SSO feature of Defined Networking you will need:
- The ability to create a new application in your OIDC Identity Provider (IDP)
- A Defined Networking account
Caveats
While administrators authenticating with SSO are able to perform most actions, they are unable to modify the account’s SSO configuration. For this, you will need to log in with a magic link and TOTP authenticator as you do today.
Configuration
Ready to set up SSO on your account? Let’s get started!
First, login to your Defined Networking account and navigate to the Single Sign-On page.
Next, login to your identity provider and create a new OIDC application. Begin configuration by copying the Sign-in Redirect URL from the Single Sign-On page of the Defined Networking admin panel to your identity provider. If asked to specify a grant type, choose “Authorization Code.” You may also need to explicitly allow the “email” OIDC scope. The screenshot below is an example of what this might look like within your IDP, though each provider will differ.
Once your application is created you’ll need to find three pieces of information from within your identity provider and copy them into the configuration page of your Defined Networking admin panel: Client ID, Client Secret, and the Issuer URL.
Now click “Save” and if everything was entered correctly you will see your new OIDC provider enabled and ready to accept logins!
To verify your setup, find the Sign-on URL listed at the top of the page, paste it into your browser and complete the sign-in. After landing back in your Defined Networking account you will be able to see the authentication in your logs, just like any other authentication!
Congratulations on configuring SSO for your Managed Nebula network!
Identity provider-specific instructions
Google Workspaces
Setting up OIDC for Google Workspaces is not intuitive and runs the risk of accidentally opening your Defined Networking account to anyone with a Google email address, so we will address it here in detail.
-
Create a new project in your Google Developers Console, after logging in as an administrator.
-
Open the Credentials page in the Google API Console and choose the project you just created in the upper left corner (if not already selected).
-
Click the "Configure consent screen" button, then "Get started".
- Enter any app name you like, for instance, "Defined Networking SSO". You may also need to provide an email address for your SSO users to contact if they have trouble logging in.
- IMPORTANT: Choose "Internal" as the audience, which will limit login to only those users in your organization.
- Finish setting up the consent screen and save.
-
Return to the Credentials page and click the "+ Create Credentials" button, and choose "OAuth client ID" from the dropdown.
-
Pick "Web application" and give it a name like "Defined Networking Admin".
-
Underneath "Authorized redirect URIs", click the "+ Add URI" button and enter
https://admin.defined.net/auth/oidc-callback
-
Click the "Create" button
-
You will be shown a Client ID and a Client secret. These should be entered in their respective fields in the SSO setup page of the Managed Nebula admin panel, along with the Issuer URL of
https://accounts.google.com
. -
Finally, save the Managed Nebula SSO configuration. You should now be able to log in to the admin panel using the organization-specific Sign-on URL shown on the page. Visit that link in a private browser window to test it out.
As always, feel free to contact us if you have any difficulty or questions.