SSO

A step-by-step guide for creating an OKTA Identity Provider in Zitadel to enable SSO integration with PerfectScale

PerfectScale enables user access through Zitadel, an open-source identity management platform. To start using Zitadel with PerfectScale, you’ll first need to create a Zitadel Identity provider for OKTA or integrate Zitadel with G Suite.

Creating a Zitadel identity provider for OKTA

Log in to the Zitadel Admin Console and navigate to Default Settings → Identity providers.
Select Generic OIDC.
Select Generic OIDC
Log in to Okta:
- Access the Admin Console and select Security from the side menu.
- Go to API:
  - Copy the Issuer URI for the default auth server.
  - Use the copied value in Zitadel as the Issuer.
- Navigate to the TrustedOrigins tab and click the +Add Origin button:
  - Paste the Zitadel URL as the origin URL: https://zitadel.dev.perfectscale.click.
  - Allow cors and redirect.
Return to the Authorization servers tab and enter the default server settings by pressing on the server name.
Navigate to the Access Policies tab:
- Add a new Access policy.
- Create a policy to allow all users
- Add a scope to the policy for all.
From the Okta side menu, navigate to applications:
- Create a new app integration.
- Choose OIDC.
- Choose Web Application.
- Click next.
- Add the Zitadel redirect URI in the redirectURIs: https://zitadel.dev.perfectscale.click/ui/login/login/externalidp/callback
- Choose to allow everyone in your organization to access and save.
Go into the newly created application details page (click on the app inside applications)
Copy the ClientID and Secret and paste the credentials into the Zitadel provider page.

Once OKTA is configured, users from your organization can sign up and log in to your PerfectScale account.

Integrating Zitadel with G Suite

Log in to the Zitadel Admin Console and navigate to Default Settings → Identity providers.
Select SAML from the Add Provider list.
Select SAML
Open Google Workspace and select the Add custom SAML app from the Add app drop-down list.
Add custom SAML app
Name the app, create a description, and click Continue.
Click Download Metadata and paste the content in the identity provider.
Download metadata
Paste the content in Zitadel Metadata XML and click Continue.
Copy the Zitadel ACS Login Form and Zitadel Metadata from the list Zitadel provided and insert them to the ACS URL and Entity ID in G-Suite admin accordingly.
Configure SAML
Click Continue and Finish.
Activate the application in G Suite for users.
Activate the app in G Suite
Click Activate and Save in Zitadel.
Activate in Ziadel

Integrating Zitadel with Azure

Register Azure AD App
- Log in to the Azure Portal and navigate to Azure Active Directory -> App registrations -> New registration.
- Name the application: Zitadel-OIDC
- Configure the redirect URL with the following parameters:
  - Web
  - https://DOMAIN/oidc/v1/callback (adjust based on ZITADEL deployment)
- Click Register.

Configure application settings
- Go to your Manage -> Authentication
  - Add your ZITADEL redirect URL if it is not already included.
  - Check the box for ID tokens.
  - Add Web redirect URL: https://DOMAIN/ui/login/login/externalidp/callback.
Application settings configuration
- In API permissions, ensure that openid, profile, and email are included. If not, add Microsoft Graph -> Delegated permissions.
API permissions
- In Certificates & Secrets, add a new Client Secret, and copy it.
Configure token To enable ZITADEL to obtain information from the authenticating user, you need to configure which optional claims should be returned in the token.
- In the Token configuration, click the + Add optional claim button
- Check the box for email, family_name, given_name and preferred_username .
Token configuration
Get Azure AD OIDC details
- Issuer/Discovery URL: https://login.microsoftonline.com/<tenant-id>/v2.0.
- Client ID: from the registered application.
- Client Secret: from step 2 above.
- Scopes: openid, email, profile
Add Azure AD as OIDC Provider in ZITADEL
- In the ZITADEL Console (admin login), navigate to Organization -> Login Behavior and Security to ensure that the box External allowed is checked.
Login form customization
- Go to Organization -> Login and Access -> Identity Providers
- Click Add Identity Provider, choose Microsoft, and update the configuration:
  - Name: AzureAD
  - Client ID: from Azure AD
  - Client Secret: from Azure AD

If the email server isn’t set up in Zitadel, or if there’s no need to verify Azure emails further since they are already sufficiently verified, make sure to check the Email verified box.

Activate the Identity Provider for login
- Once the identity provider is saved, open it and activate.
IdP activation
- Test the login flow with AzureAD.
AzureAD test

ZITADEL Docszitadel.com

PreviousSecurity Nextps-agent RBAC Permissions

Last updated 5 months ago

Was this helpful?