Use OIDC SSO

PhoenixAI supports user authentication using OpenID Connect (OIDC) single sign-on (SSO).

important

• Only console users with the Account admin role can configure OIDC SSO.
• SAML SSO and OIDC SSO are mutually exclusive. Disable SAML SSO before you enable OIDC SSO.

Enable OIDC SSO

The following tutorial provides examples for Okta, AWS, and Google.

Step 1: Prepare PhoenixAI Redirect URL

1. Sign in to the PhoenixAI Cloud console as the account administrator.
2. In the left-side navigation pane, choose Account > Account settings.
3. On the Single sign-on tab of the Account settings page, click Configure in the OIDC section to display the Configure OIDC dialog box.
4. In the Configure OIDC dialog box, click the Copy icon next to the PhoenixAI redirect URL field and save the URL properly.

note

Do not close the PhoenixAI Cloud console. You will need to complete further configurations on the console in the following steps.

Step 2: Set up your IdP

Use Okta as IdP

Follow these steps to set up your IdP:

1. Sign in to the Okta Administration console as a member with administrator privileges.

2. In the left-side navigation pane, choose Applications > Applications.

3. On the Applications page, click Create App Integration to display the Create a new app integration dialog box.

4. In the Create a new app integration dialog box, choose OIDC - OpenID Connect for Sign-in method, and choose Web Application for Application type.

   

5. Click Next.

6. On the General Settings section of the New Web App Integration page, enter a name for your application, select Client Credentials for Client acting on behalf of itself, and select Authorization Code and Refresh Token for Core grants.

   

7. Paste the PhoenixAI redirect URL to the Sign-in redirect URIs section of the New Web App Integration page.

   

8. On the Assignments section of the New Web App Integration page, select Limit access to selected groups for Controlled access, search and select groups in the Selected group(s) field, and click Save.

   

9. In the left-side navigation pane of the Okta console, choose Applications > Applications.

10. On the Applications page, click the application you have created to enter the application detail page.

11. In the Client Credentials section of the General tab, copy the Client ID and save it properly. Then, click Edit in the section, select Require PKCE as additional verification for Proof Key for Code Exchange (PKCE), and click Save.

12. In the CLIENT SECRETS section of the General tab, copy the client secret value and save it properly.

    

13. In the Federation Broker Mode section of the General tab, click Edit, and click Enable Federation Broker Mode. In the message that appears, click Continue. Then, click Save.

    

14. On the Applications page, click Assign Users to APP.

15. On the Assign Apps to People tab of the Assign Applications page, configure as follows:

a. In the Applications section, select the application you have created.

b. In the People section, select the user to whom you want to assign the application.

c. Click Next.

16. On the Confirm Assignments tab of the Assign Applications page, click Confirm Assignments.

Use AWS as IdP

Follow these steps to set up your IdP:

1. Sign in to the AWS Cognito console as a user with administrator privileges.

2. In the left-side navigation pane, choose User pools.

3. On the User pools page, click Create user pool.

4. In the Define your application section on the Set up resources for your application page, select Traditional web application for Application type, and enter a name for your application.

5. In the Configure options section on the Set up resources for your application page, select the Options for sign-in identifiers for authentication.

6. In the Add a return URL section on the Set up resources for your application page, paste the PhoenixAI redirect URL to the Return URL field.

7. Click Create user directory.

   

8. Return to the AWS Cognito console, choose User pools in the left-side navigation pane, and click the user pool you have just created.

9. On user pool overview page, click the copy button to copy the User pool ID and save it properly.

10. In the left-side navigation pane, choose Applications > App clients.

11. On the App clients and analytics page, click the web application you just created.

12. On the App client overview page, click the copy buttons to copy the Client ID and Client secret, and save them properly.

13. Return to the AWS Cognito console, choose Users in the left-side navigation pane, and click Create a user.

14. Review the User pool sign-in and security requirements for guidance on password requirements, available account recovery methods, and alias attributes for your user pool.

15. Specify a Username for the user to whom you want to assign the application.

16. Create a password or Generate a password for the user.

17. Click Create.

Use Google as IdP

Follow these steps to set up your IdP:

1. Sign in to the Google Admin console as a user with administrator privileges.

2. In the left-side navigation pane, choose APIs & Services > Credentials.

3. On the Credentials page, click Create credentials, and select OAuth Client ID.

4. On the Create OAuth client ID page, configure as follows:

   a. Select Web Application for Application type.

   b. Enter a name for your application in the Name field.

   c. Click Add URI in the Authorized redirect URIs section, and paste the PhoenixAI redirect URL to the URI field.

   

5. Click Create.

6. On the message that appears, click the copy buttons to copy the Client ID and Client secret of the web application, and save them properly. Then, click Ok.

7. In the left-side navigation pane, choose APIs & Services > OAuth consent screen. Then, choose Audience.

8. On the Audience page, click Add users.

9. On the Add users tab, enter the email address of the user to whom you want to assign the application. Then, click Save.

important

Refresh Token must be enabled on your web application. Without it, sessions cannot be silently renewed and users get bounced back to the IdP every time the id_token expires (typically every hour).

• On Okta, you need to select the Refresh Token checkbox under Grant type.
• On Google Workspace, set access_type=offline and prompt=consent (the literal offline_access scope is rejected by Google).
• For other IdPs, use equivalent options (for example, include offline_access in the requested scopes).

Step 3: Configure and enable OIDC SSO on PhoenixAI

1. Return to the Configure OIDC dialog box on your PhoenixAI Cloud console.

2. Paste the client ID of your web application you have copied to the Client ID field.

3. Paste the client secret of your web application you have copied to the Client Secret field.

4. Specify the Discovery URL (the OIDC discovery document path, or the well-known OpenID configuration path) for your IdP. The following table list the Discovery URL format for Okra and Google. For other IdPs, you can refer to the corresponding official documents.

   IdP	Discovery URL
   Okta	https://<your-tenant>.okta.com/.well-known/openid-configuration (Replace <your-tenant> with your actual tenant.)
   AWS	https://cognito-idp.<aws_region>.amazonaws.com/<user_pool_id>/.well-known/openid-configuration (Replace <aws_region> with your AWS region ID, and <user_pool_id> with your actual user pool ID.)
   Google	https://accounts.google.com/.well-known/openid-configuration

5. Specify email in the Username Claim unless your IdP uses a different field for authentication.

6. Click Submit.

7. On the Single sign-on tab of the Account settings page, click Test SSO to test the connectivity of your OIDC configuration.

8. On the page that appears, log in to your IdP, and you will be redirect to the PhoenixAI Cloud console if the login succeeds.

9. When the test passed, click Enable on the Single sign-on tab of the Account settings page.