Single Sign On (SSO)

The Arcadia Platform Dashboard supports Single Sign On (SSO) by way of OpenID Connect (OIDC). This allows your IT department to manage who has access to their Dashboard and with what permissions, through your own identity provider.

Note that SSO is intended to be mutually exclusive with password based login. Using both methods of authentication after SSO has been configured is unsupported.

Permission assignments

There are two sets of permissions for Dashboard users: Admin and User. Users have full access to utility data, but only Admins have full access to Organization level settings and data management such as:

• Creating and removing users (for non-SSO orgs)
• Creating, viewing, and deleting API keys
• Configuring webhook URLs
• Configuring DataHub delivery
• Configuring custom data
• Customizing Connect
• Deleting credentials and accounts accounts

In order to specify what permission assignment a user logging in through SSO should be given, we leverage group assignment which is a standard functionality among most identity providers. By looking for specific group names in group assignment data, we know what permission to give that user.

Note that if an SSO login attempt does not convey membership in one of the expected groups, it will be rejected.

Read more about Team Management here.

Setup

To set up OIDC SSO, first contact your Customer Success manager for the information you'll need to create the OIDC application within your identity provider:

• Sign-in redirect URL
• Initiate login URL
• Sign-out URL (always https://auth.arcadia.com/logout)

Using these urls, create an OIDC application in your identity provider. One you have completed that and assigned users to the application and groups, gather the following information to send us:

• What identity provider are you using? (e.g. Okta, Ping Federate)
• What is the client ID of your application?
• What is the client secret of your application?
• What is the URL of your OpenID Provider Configuration? (e.g. https://example.okta.com/.well-known/openid-configuration)
  • If no OpenID Provider Configuration URL is available, you'll need to provide URLs for the authorization endpoint, token endpoint, user info endpoint, and JWKS endpoint.
• What claim name in the access or id tokens will be used to indicate group membership/role assignment? Our default is groups
• What group name should be used to assign the admin role? Our default is Arcadia Admin Role.
• What group name should be used to assign the user role? Our default is Arcadia User Role.
• What scopes should Arcadia request in the OIDC process? Our default is openid profile email, but many providers require additional scopes are requested in order to include group membership.

Send this information to your Customer Success manager, Zendesk, or to [email protected]. They'll schedule a call to verify the configuration and ensure you can access the Plug Dashboard. through SSO.

If any additional questions, please reach out to us via your Customer Success or Account Manager, Zendesk, or to [[email protected].]

Icon

Download this icon to use for your identity provider tile.