Set Up SSO with project44
As a customer of project44, you have the option to configure Single Sign On (SSO) to access project44's products. Standard SSO supports one or more of your company's email domains.
SSO configuration is a collaborative effort between you and project44.
project44 uses Okta as its authentication broker to connect customer identity providers to the project44 platform. You do not need to log into or access Okta directly. Your IdP will reference Okta URLs for project44. However, you will always log in through Movement.
Prior to configuration, work with your project44 Customer Success contact to define your SSO experience needs. Specifically, determine the following:
-
What known set of email domains will you use?
-
Do you want to enable just-in-time (JIT) user creation? JIT users will be created with default access when they first log in via SSO.
Note
Roles for JIT users may need to be adjusted after the user is created to ensure the users are assigned the correct roles.
-
Which protocol do you want to use: OpenID Connect (OIDC) or Security Assertion Markup Language (SAML, specifically SAML 2.0)?
-
Create or configure a SAML application on your system using the following values as placeholders for the entityID and Application Callback URL respectively:
-
Send the following information to your project44 Customer Success contact:
-
EntityID. This is a unique identifier for the SAML service provider.
-
Application Callback URL
-
Signing certificate. This should be in Base64 format.
-
-
Your project44 Customer Success contact will provide you with the actual Entity ID and Callback URL to replace your placeholders.
-
Once you have completed SSO configuration using the SAML Protocol, project44 will work with you to conduct Testing.
-
Create an OIDC application and set the Redirect URI to one of the following based on your location:
-
Send the following information to your project44 Customer Success contact:
-
Client ID. This is your unique OIDC application identifier.
-
Client Secret. This is a secret key used for OIDC authentication. Send this securely via a secret manager to keep it encrypted and with one-time use or access.
-
Authorization URL
-
Token URL
-
Jwks URL
-
Issuer URL
-
Any other specific scopes that should be specified. The defaults are openid, profile, and email.
-
-
Your project44 Customer Success contact will inform you know when it is time to conduct Testing.
The purpose of testing the SSO configuration is to ensure your preferences have been enabled and are working properly.
Some scenarios that can be tested include
-
JIT user creation. If enabled, does the new JIT user get created in the correct project44 account? If disabled, does SSO login by a new user not in project44 yet get rejected?
-
You have the option to send an email notification to to any email addresses of your choice when a new JIT user is created.
-
-
Existing user access. If your project44 account has been upgraded to enable SSO, instead of using a username and password, is the existing user able to successfully log in?