SSO / OpenID Connect
Enterprise
This feature requires an Enterprise license.
Single Sign-On (SSO) via OpenID Connect (OIDC) allows your team to authenticate using your organization's identity provider. Ops Atlas supports any OIDC-compliant provider including Okta, Azure AD, Auth0, Keycloak, and others.
How It Works
SSO configuration is stored in the database as an SsoConfig entity and managed entirely through the Settings UI — no environment variables or config file changes required. When SSO is enabled, the login page displays a Sign in with SSO button alongside the standard login form.
When a user authenticates through the identity provider, they are redirected back to Ops Atlas at the SSO callback route. The backend validates the OIDC token, maps the user to a local account and role, and issues a session.
Configuration
- Navigate to Settings > SSO / OIDC in the Ops Atlas UI.
- Fill in the following fields:
| Field | Description |
|---|---|
| Provider URL | The OIDC issuer URL (e.g. https://your-org.okta.com/oauth2/default) |
| Client ID | The OAuth 2.0 client ID from your identity provider |
| Client Secret | The OAuth 2.0 client secret from your identity provider |
| Redirect URI | Set to https://<your-ops-atlas-host>/login/sso-callback |
- Click Save to persist the configuration.
- Toggle Enable SSO to activate.
TIP
Register the redirect URI in your identity provider's application settings before enabling SSO in Ops Atlas.
Usage
Once SSO is enabled:
- Users visit the login page and click Sign in with SSO.
- They are redirected to the identity provider for authentication.
- After successful authentication, the provider redirects back to
/login/sso-callback. - Ops Atlas creates or updates the local user account and assigns roles based on the provider claims.
- The user is logged in and redirected to the dashboard.
Users who authenticate via SSO are mapped to local roles. Administrators can adjust role assignments in Settings > Users.
API Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET | /api/sso/config | Retrieve current SSO configuration |
PUT | /api/sso/config | Update SSO configuration |
GET | /api/sso/auth/login | Initiate SSO login flow |
GET | /api/sso/auth/callback | Handle OIDC callback from provider |
Frontend Route
| Route | Description |
|---|---|
/login/sso-callback | Receives the OIDC redirect and completes authentication |