Single Sign On (SSO)

The Arcadia Platform Dashboard supports Single Sign On (SSO) by way of OpenID Connect (OIDC). This allows your IT department to manage who has access to their Dashboard and with what permissions, through your own identity provider.

Note that SSO is intended to be mutually exclusive with password based login. Using both methods of authentication after SSO has been configured is unsupported.

Permission assignments

There are two sets of permissions for Dashboard users: Admin and User. Users have full access to utility data, but only Admins have full access to Organization level settings and data management such as:

• Creating and removing users (for non-SSO orgs)
• Creating, viewing, and deleting API keys
• Configuring webhook URLs
• Configuring DataHub delivery
• Configuring custom data
• Customizing Connect
• Deleting credentials and accounts accounts

In order to specify what permission assignment a user logging in through SSO should be given, we leverage group assignment which is a standard functionality among most identity providers. By looking for specific group names in group assignment data, we know what permission to give that user.

Note that if an SSO login attempt does not convey membership in one of the expected groups, it will be rejected.

Read more about Team Management here.

Setup

To set up OIDC SSO, create an OIDC application in your identity provider. Any sign in, sign out, or login URLs it asks for can be assigned to https://example.com for now.

Gather the following information:

• What identity provider are you using? (e.g. Okta, Ping Federate)
• What is the client ID of your application?
• What is the client secret of your application?
• What is the URL of your OpenID Provider Configuration? (e.g. https://example.okta.com/.well-known/openid-configuration)
  • If no OpenID Provider Configuration URL is available, you'll need to provide URLs for the authorization endpoint, token endpoint, user info endpoint, and JWKS endpoint.
• What claim name in the access or id tokens will be used to indicate group membership/role assignment? Our default is groups
• What group name should be used to assign the admin role? Our default is Arcadia Admin Role.
• What group name should be used to assign the user role? Our default is Arcadia User Role.
• What scopes should Arcadia request in the OIDC process? Our default is openid profile email, but many providers require additional scopes are requested in order to include group membership.

Send this information to your Customer Success manager, Zendesk, or to [email protected]. They will reply once these settings have been configured in our system, and include the appropriate values for:

• Sign-in redirect URL
• Sign-out redirect URL
• Initiate login URL

These values should then be set in your identity provider's OIDC application. At this point, you should be able to sign in through your OIDC application to the Plug Dashboard. If any additional questions, please reach out to us via your Customer Success or Account Manager, Zendesk, or to [[email protected].]

Icon

Download this icon to use for your identity provider tile.