Help Center

SSO Integrations

Who is this for? This guide is for IT administrators and account administrators who are responsible for configuring Single Sign-On (SSO) integration between their organization's identity provider and Altana.

Altana supports SSO integration with OIDC-based identity providers including Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, and Auth0. This allows your users to access Altana using your organization's existing authentication system.

Prerequisites

To set up SSO integration with Altana, you will need:

  • Admin access to your identity provider (Okta, Microsoft Entra ID, Google Workspace, etc.)
  • An OIDC-capable identity provider
  • The following information from your identity provider:
    • OIDC Discovery URL (the .well-known/openid-configuration endpoint)
    • OAuth2 Client ID
    • OAuth2 Client Secret

Integration process

The SSO integration process involves coordination between your team and Altana's implementation team:

  1. Information gathering: You provide your OIDC discovery URL, client ID, and client secret to Altana.
  2. Configuration: Altana's implementation team configures your SSO integration.
  3. Redirect URI setup: Altana provides you with a redirect URI that you add to your identity provider.
  4. Testing: Both teams test the integration to ensure the login flow works correctly.

Provider-specific information

Below are instructions for finding the required information for common identity providers.

Microsoft Entra ID (Azure AD)

Discovery URL format:

https://login.microsoftonline.com/{your-tenant-id}/v2.0/.well-known/openid-configuration

Replace {your-tenant-id} with your Azure AD tenant ID (UUID) or your tenant domain (e.g., company.onmicrosoft.com).

To create OAuth2 credentials:

  1. Go to Azure Portal → App registrations → Create new (or use existing)
  2. Note the "Application (client) ID"
  3. Go to Certificates & secrets → New client secret → Copy the value

Okta

Discovery URL format:

https://{your-org}.okta.com/.well-known/openid-configuration

Replace {your-org} with your Okta domain (e.g., company.okta.com).

To create OAuth2 credentials:

  1. Go to Okta Admin → Applications → Create App Integration
  2. Choose "OIDC - OpenID Connect" and "Web Application"
  3. Note the Client ID
  4. Copy the Client secret

Google Workspace

Discovery URL:

https://accounts.google.com/.well-known/openid-configuration

To create OAuth2 credentials:

  1. Go to Google Cloud Console → APIs & Services → Credentials
  2. Create OAuth 2.0 Client ID (Web application)
  3. Note the Client ID and Client secret

Adding the redirect URI

After Altana configures your SSO integration, you will receive a redirect URI (also called a callback URL or sign-in redirect URI) that you must add to your identity provider's application configuration.

The redirect URI will be in this format:

https://login.altana.ai/realms/{realm-or-org-id}/broker/{idp-alias}/endpoint

How to add the redirect URI by provider:

  • Azure AD: App registrations → Your app → Authentication → Add redirect URI under "Web" platform → Save
  • Okta: Applications → Your app → General Settings → Edit "Login redirect URIs" → Add the URI → Save
  • Google: Credentials → Your OAuth 2.0 Client → Authorized redirect URIs → Add URI → Save

You must also ensure the following scopes are granted: openid, email, profile

Testing your SSO integration

Once configuration is complete, you can test the SSO integration:

  1. Navigate to your Altana login page (the URL will be provided by Altana)
  2. Click "Login"
  3. Enter your email address in the "Username or email" field
  4. You will be automatically redirected to your identity provider
  5. After authenticating with your identity provider, you will be returned to Altana

Altana's implementation team will coordinate testing with you to ensure the integration works correctly before rolling it out to your users.

Getting help

If you encounter any issues during the SSO integration process or have questions, please contact your Altana implementation team representative. They can assist with:

  • Gathering the required information from your identity provider
  • Troubleshooting redirect URI mismatches
  • Verifying that authentication flows work correctly
  • Resolving any configuration issues