# SSO PerfectScale enables user access through Zitadel, an open-source identity management platform. To start using Zitadel with PerfectScale, you’ll first need to create a Zitadel Identity provider for OKTA or integrate Zitadel with G Suite. ## **Creating a Zitadel identity provider for OKTA** 1. Log in to the **Zitadel Admin Console** and navigate to **Default Settings** → **Identity providers**. 2. Select **Generic OIDC**.

3. Log in to Okta: * Access the **Admin Console** and select **Security** from the side menu. * Go to **API:** * Copy the **Issuer URI** for the **default** auth server. * Use the copied value in Zitadel as the **Issuer**. * Navigate to the **TrustedOrigins** tab and click the **+Add Origin** button: * Paste the Zitadel URL as the origin URL: [https://zitadel.dev.perfectscale.click](https://zitadel.dev.perfectscale.click/). * Allow cors and redirect. 4. Return to the **Authorization servers** tab and enter the **default** server settings by pressing on the server name. 5. Navigate to the **Access Policies t**ab: * Add a new Access policy. * Create a policy to allow all users * Add a scope to the policy for **all**. 6. From the Okta side menu, navigate to **applications**: * Create a **new app integration**. * Choose **OIDC**. * Choose **Web Application**. * Click next. * Add the Zitadel redirect URI in the **redirectURIs:** * Choose to **allow everyone in your organization to access** and save. 7. Go into the newly created application details page (click on the app inside **applications**) 8. Copy the **ClientID** and **Secret** and paste the credentials into the **Zitadel** provider page. Once OKTA is configured, users from your organization can sign up and log in to your PerfectScale account. ## Integrating Zitadel with G Suite 1. Log in to the **Zitadel Admin Console** and navigate to **Default Settings** → **Identity providers**. 2. Select **SAML** from the **Add Provider** list.

3. Open Google Workspace and select the **Add custom SAML app** from the **Add app** drop-down list.

4. Name the app, create a description, and click Continue. 5. Click **Download Metadata** and paste the content in the identity provider.

6. Paste the content in **Zitadel Metadata XML** and click **Continue**. 7. Copy the **Zitadel ACS Login Form** and **Zitadel Metadata** from the list Zitadel provided and insert them to the **ACS URL** and **Entity ID** in G-Suite admin accordingly.

8. Click **Continue** and **Finish**. 9. Activate the application in G Suite for users.

10. Click **Activate** and **Save** in Zitadel.

## Integrating Zitadel with Azure 1. **Register Azure AD App** * Log in to the [Azure Portal](https://portal.azure.com/) and navigate to **Azure Active Directory** -> **App registrations** -> **New registration**. * Name the application: `Zitadel-OIDC` * Configure the redirect URL with the following parameters: * `Web` * `https://DOMAIN/oidc/v1/callback` (adjust based on ZITADEL deployment) * Click **Register**.

2. **Configure application settings** * Go to your **Manage** -> **Authentication** * Add your ZITADEL redirect URL if it is not already included. * Check the box for ID tokens. * Add Web redirect URL: [https://DOMAIN/ui/login/login/externalidp/callback](https://zitadel.dev.perfectscale.click/ui/login/login/externalidp/callback).

* In **API permissions**, ensure that `openid`, `profile`, and `email` are included. If not, add **Microsoft Graph** -> **Delegated** permissions.

* In **Certificates & Secrets**, add a new **Client Secret**, and copy it. 3. **Configure token**\ To enable ZITADEL to obtain information from the authenticating user, you need to configure which optional claims should be returned in the token. * In the Token configuration, click the `+ Add optional claim` button * Check the box for `email`, `family_name`, `given_name` and `preferred_username` .

4. **Get Azure AD OIDC details** * **Issuer/Discovery URL**: `https://login.microsoftonline.com//v2.0`. * **Client ID**: from the registered application. * **Client Secret**: from **step 2** above. * **Scopes**: `openid`, `email`, `profile`

5. **Add Azure AD as OIDC Provider in ZITADEL** * In the ZITADEL Console (admin login), navigate to **Organization** -> **Login Behavior and Security** to ensure that the box **`External allowed`** is checked.

* Go to **Organization** -> **Login and Access** -> **Identity Providers** * Click **Add Identity Provider**, choose **Microsoft,** and update the configuration: * **Name**: `AzureAD` * **Client ID**: from Azure AD * **Client Secret**: from Azure AD

{% hint style="info" %} If the email server isn’t set up in Zitadel, or if there’s no need to verify Azure emails further since they are already sufficiently verified, make sure to check the `Email verified` box. {% endhint %}

6. **Activate the Identity Provider for login** * Once the identity provider is saved, open it and activate.

* Test the login flow with **AzureAD**.

{% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.perfectscale.io/2.0-self-hosted-or-perfectscale-documentation/administration/security/sso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.