Configuring single sign-on for applications

Single sign-on (SSO) allows users to access third-party applications such as Workday, Salesforce, or Coupa directly through Orchestrate Chat, without having to log in each time.

Builders or admins can configure SSO while setting up a connection for the app. This involves integrating the third-party application with an Identity Provider (IdP). As part of the setup, all tenant users must be included in the IdP configuration. When a user logs in, the IdP authenticates their credentials and issues an SSO token.

Benefits of using SSO

  • Seamless access: Users can interact with apps through Orchestrate Chat without repeated logins.
  • Improved security: Credentials are managed centrally by the IdP.
  • Faster workflows: Agents and tools linked to the app can be triggered instantly
  • Simplified authorization: No need to implement role-based access in the third-party app.

Before you begin

Before you configure SSO in watsonx Orchestrate, ensure your third-party application is integrated with your Identity Provider (IdP). For example, if you're configuring SSO for the Workday app, first integrate Workday with your IdP (for example, Microsoft Entra ID). For guidance, see Microsoft Entra single sign-on (SSO) integration with Workday.

Enabling single sign-on

To enable single sign-on:

  1. From the main menu, go to Manage > Connections.
  2. On the Connection settings page, click Add new connection.
  3. Enter a Connection ID and Display name and click next.
  4. Toggle Single Sign-On (SSO).
  5. Select an authentication type, choose either:
  6. The Credential type is automatically set for SSO and supports only member credentials. Click Next to continue.
  7. Configure the live connection. Either Paste draft configuration or define a new setup.
  8. Save the connection.

Choosing an authentication type

Select the OAuth2 flow that best fits your app's token exchange and security needs.

Authentication type How it works Flow
OAuth2 On Behalf Of Flow The client exchanges an existing user for a new access token in a single request. It requires a trusted client. (User/IDP token) > Authorization Server > (Access Token)
OAuth2 Token Exchange (Beta feature) It involves two separate calls instead of one:
1. Obtain a new token type.
2. Exchange that token again for another token.		 (User/IDP token) > Exchange > (Intermediate Token) > Exchange > (Access Token)

Editing an existing connection

To update an existing connection with SSO settings:

  1. Navigate to Manage > Connections.
  2. Locate the app you want to update.
  3. Click the edit icon next to the app and update the configuration fields.
  4. Save your changes to apply the new settings.