Configuring single sign-on using the OpenID Connect standard

SECURITY  Security level with Admin permission to configure Resources/Users (HR) and system administrator role for the Identity Provider

NAVIGATION   > Admin > Organization Settings & Users > Resources/Users (HR) > Security > Single Sign-On (OpenID Connect (OIDC))

Overview

IMPORTANT  When you enable Single Sign-on, the login is handled by the identity provider, and Two-factor Authentication that was set up before SSO was implemented is ignored.

Autotask supports single sign-on (SSO) for Autotask, the Microsoft Outlook Extension, and LiveMobile, using the OpenID Connect standard.

Support for OpenID Connect allows businesses that use many applications to take advantage of the benefits of Single Sign-On (SSO):

  • Businesses can delegate user authentication and provisioning to a dedicated, purpose-built service, called an Identity Provider (IdP), providing better security.
  • Businesses can disable access to multiple applications by inactivating the user account with the Identity Provider
  • Users no longer have to create separate logins and passwords for each application.
  • 2-factor authentication is not required when SSO is enabled.

We have tested the integration with several identity providers, but we fully expect the integration to work with most IdPs using OpenID Connect protocols. For a list of certified OpenID Connect providers, refer to OpenID Certification.

NOTE  We have currently identified one certified OpenID provider whose implementation does not work with the Autotask Integration, Microsoft ADFS on Windows Server 2016. Microsoft Azure AD is supported; refer to the note below.

Before you set up single sign-on, make sure the following tasks are completed:

  • Ensure that you are fully set up with your external identity provider.
  • Users who will authenticate using SSO must be set up with a user account before you configure the integration.
  • Single sign-on users who use the Microsoft Outlook Extension or LiveMobile must download the newest versions:  Outlook Extension version 3.3.3 or later, LiveMobile iOS 1.12/Android 1.11, or later.

We are providing additional documentation for the following vendors who use the OpenID Connect standard. Use these instructions in conjunction with this topic.

Configuring Single Sign-On (OpenID Connect)

NOTE  The instructions in this topic are vendor-neutral, and focused on the Autotask end of the configuration. Refer to Configuring Autotask SSO with Auth0.

BEFORE YOU BEGIN  On the Identity Provider website, add Autotask as an application. For examples, refer to Provider-specific configuration info.

Using an Admin account, open both Autotask and your Identity Provider application.

  1. Open the Single Sign-On (OpenID Connect) page. To open the page, use the path(s) in the Security and navigation section above.
  1. Populate the following fields:
Field Description
General tab
Single Sign-On is:

The Disabled option is selected by default. Use the radio button to select one of the following options:

  • Enabled for all resources using Autotask Username entered in the Identity Provider: Use this option if all Autotask users will log in using the Identity Provider, and single sign-on will be enabled for all current and future users.

NOTE  Resource-level configuration in Autotask is not necessary, but the administrator of your Identity Provider account must create a custom attribute called autotaskuser, and set that attribute for each resource to be their Autotask username. Refer to the following Okta article for directions: Add custom attributes to an Okta user profile.

  • Enabled for selected resources using Identity Provider's Name Identifier: Use this option to enable single sign-on for some Autotask users, but not for others. This will enable the Resources tab, where you can enter the Identity Provider's Unique ID for each user.

NOTE  You must also use this option if your IdP is Azure AD or another provider that does not support custom attributes being exposed via OpenID Connect.
Client ID* Copy the Client ID field from the application setup page of your Identity Provider.
Client Secret*

Copy the Client Secret field from the application setup page of your Identity Provider.

  • Click Edit to open the Edit Secret dialog window, and enter and confirm the secret value.

NOTE  Once configured, this field value is both encrypted at rest, and obfuscated in Autotask. The value can be edited, but not viewed.
OpenID Connect Discovery Document*

Enter the OpenID Connect Discovery Document URL of your Identity Provider.

Typical protocol: add /.well-known/openid-configuration to the URL of your Identity Provider.

EXAMPLE  https://YOUR_DOMAIN.okta.com/.well-known/openid-configuration where https://YOUR_DOMAIN.okta.com is the Admin URL for the IdP.
Test You must click the Test button to test that the supplied Client ID, Client Secret, and OpenID Connect Discovery Document are valid. If they are, you will receive a confirmation message. If one of the three is not valid, you will receive an error message.

IMPORTANT  You will not be able to proceed until you have successfully tested the configuration.
Last Update A read-only field that displays the user, date, and time of the last update.
Callback /Redirect URL

These are the URLs where the Identity Provider will send responses to authentication requests.

To configure the integration, copy these Autotask fields and paste them into the Callback /Redirect URL fields of your Identity Provider application.

LiveMobile Callback/Redirect URL (if using the legacy version of LiveMobile)

LiveMobile (v2.0 +) Callback/Redirect URL (if using the new version of LiveMobile)
Initiate Login URL

Copy this field and paste it into the Initiate Login URL field of your identity provider.

This will allow users to bypass the Autotask log in page. Once users have authenticated with the identity provider, they can click the Autotask tile to open Autotask.

Resources tab

Unique ID

If you enabled single sign-on for selected resources, click the Resources tab. All active resources in your Autotask instance are displayed.

  1. Check the names of all resources for whom single sign-on will be enabled.
  2. In the Unique ID field, enter each user's Unique ID from their account with the identity provider. This ID is generated automatically when the user's account is created in the Identity Provider's application.
  3. Click Save.

NOTE  The Unique ID is typically located in your profile in the SSO application.

Single sign-on is now enabled for all, or for selected users.

Using Autotask LiveMobile with Single Sign-On (SSO)

If you would like to use SSO with LiveMobile, you must update your SSO application to redirect to the mobile login page. Here are the steps for the three SSO applications we have tested:

  1. Login to YOURDOMAIN.okta.com.
  2. Select Admin.
  3. Select Applications.
  4. Select your app.
  5. Select Edit for general.
  6. Under Login, add “psamobile://login” to the Login redirect URI’s section.
  7. Click Save.
  1. Sign in to manage.auth0.com.
  2. On the left menu, select Applications.
  3. Select your application from the list.
  4. Add “psamobile://login” to the Allowed Callback URLs section.
  5. Select Save Changes.
  1. Sign in to portal.azure.com.
  2. Select Azure Active Directory.
  3. Select App registrations (preview).
  4. Select your Azure app and click the Authentication tab.
  5. For Public Client (mobile & desktop), set the redirect URI to “psamobile://login.”
  6. Click Save.

NOTE  If you are using LiveMobile 1.0 on any platform, continue to use the LiveMobile Callback/Redirect URL.

Disabling Single Sign-On

You can disable individual users on the Resources tab. To disable Single sign-on for your entire local organization Your Autotask instance may be configured to use one of the following terms instead: Account, Business Unit, Client Company, Customer, Site., do the following:

  1. In Autotask, navigate to > Admin > Organization Settings & Users > Resources/Users (HR) > Security > Single Sign-On (OpenID Connect (OIDC)).

The Single Sign-On (OpenID Connect) page opens to the General tab.

  1. Toggle the Single Sign-On is: radio button to Disabled. The page validation is removed.
  2. Optionally, delete or change the information in the remaining fields so the integration is not accidentally re-enabled.
  3. Click Save.

NOTE  When the master SSO setting is changed to Disabled, you don't have to disable individual users. Upon their next log in, these users will be prompted for two-factor authentication.