SSO Configuration Overview

Edit online

This topic provides instructions on configuring Single Sign-On (SSO) connections in the Domain Management section of Apptio Access Administration. SSO enhances user experience by allowing seamless access across multiple applications with a single set of credentials. Both SAML and OIDC connections are supported.

Getting Started

Before setting up your SSO Connection in Access Administration, you must
  • assign the SSO Admin Role to User(s) who will configure the SSO Connection in Access Administration.
  • work with your organization’s Identity Provider (IdP) team to setup a SAML or OIDC connection in your Identity Provider for use with Frontdoor
Note: If you will need multiple SSO Connections to the same IdP for different groups within your organization, you must use OIDC.

SAML Preparation

In Access Administration, go to Domain Management, select your Domain and click on Export SAML Metadata. Provide this file to your IdP team for use in setting up the SAML application. This metadata file will contain the Partner/EntityID/Audience and Assertion Endpoint/Single Sign On URL specific to the Frontdoor region where will login. It also contains the certificate used for SAML signing and encryption, which is self-signed by the IBM Security Verify tenant. The IdP team will need to provide you with the names of these SAML attributes that will be included in the login event:
  • email (required)- The attribute containing the user's email address. This will also be used as the username unless a separate username attribute is specified.
  • displayName (required) - The attribute containing the user's full name (ex. John Smith).
  • username (optional) - The attribute containing the username. This is not needed if the email will be used as the username.
  • group (optional) - The attribute containing the list of groups in which this user is a member. This is only needed if the documentation for the Apptio service you are using says it is required.
  • role (optional) - The attribute containing role information for SSO Auto-provisioning. Review the SSO Auto-Provisioning Before you Begin section with your IDP team to determine if this is needed and what values it will contain.

The IdP team will need to provide you with the SAML metadata for the application that they created. You will need this to setup the SSO Connection in Access Administration.

OIDC Preparation

In Access Administration, go to Domain Management, select your Domain and click on What do I need to setup a new connection?. Click on the OIDC tab and look for the bullet point under Step 1 that lists the Apptio Sign in redirect URI. Provide this URI to your IdP team for use in setting up the OIDC application. The IdP team will also need the following information:

Required and Optional Claims:
  • name (required) - The user's full name (ex. John Smith).
  • email (required) - The user's email address.
  • groups (optional) - This is only required if you want to setup auto-provisioning based on user groups.
Required Scopes:
  • openid
  • profile
  • email
The IdP team will need to provide you with the following:
  • Well-known Endpoint (also known as the Discovery Endpoint)
    • If PKCE is enabled on the OIDC application, the Well-known configuration document must include the JWKS URI.
  • Client ID
  • Client Secret
  • Expiration Date of the Client Secret

Next Step

Once you have gathered the above information, you are ready to Create your SSO Connection.