Configuring single sign-on using the OpenID Connect standard

Overview

IMPORTANT  When you enable Single Sign-on, the login is handled by the identity provider, and Two-factor Authentication that was set up before SSO was implemented is ignored.

Configuring Single Sign-On (OpenID Connect)

NOTE  The instructions in this topic are vendor-neutral, and focused on the Autotask end of the configuration. Refer to Configuring Autotask SSO with Auth0.

BEFORE YOU BEGIN  On the Identity Provider website, add Autotask as an application. For examples, refer to Provider-specific configuration info.

Using an Admin account, open both Autotask and your Identity Provider application.

  1. Open the Single Sign-On (OpenID Connect) page. To open the page, use the path(s) in the Security and navigation section above.
  1. Populate the following fields:
Field Description
General tab
Single Sign-On is:

The Disabled option is selected by default. Use the radio button to select one of the following options:

  • Enabled for all resources using Autotask Username entered in the Identity Provider: Use this option if all Autotask users will log in using the Identity Provider, and single sign-on will be enabled for all current and future users.

NOTE  Resource-level configuration in Autotask is not necessary, but the administrator of your Identity Provider account must create a custom attribute called autotaskuser, and set that attribute for each resource to be their Autotask username. Refer to the following Okta article for directions: Add custom attributes to an Okta user profile.

  • Enabled for selected resources using Identity Provider's Name Identifier: Use this option to enable single sign-on for some Autotask users, but not for others. This will enable the Resources tab, where you can enter the Identity Provider's Unique ID for each user.

NOTE  You must also use this option if your IdP is Azure AD or another provider that does not support custom attributes being exposed via OpenID Connect.

Client ID* Copy the Client ID field from the application setup page of your Identity Provider.
Client Secret*

Copy the Client Secret field from the application setup page of your Identity Provider.

  • Click Edit to open the Edit Secret dialog window, and enter and confirm the secret value.

NOTE  Once configured, this field value is both encrypted at rest, and obfuscated in Autotask. The value can be edited, but not viewed.

OpenID Connect Discovery Document*

Enter the OpenID Connect Discovery Document URL of your Identity Provider.

Typical protocol: add /.well-known/openid-configuration to the URL of your Identity Provider.

EXAMPLE  https://YOUR_DOMAIN.okta.com/.well-known/openid-configuration where https://YOUR_DOMAIN.okta.com is the Admin URL for the IdP.

Test You must click the Test button to test that the supplied Client ID, Client Secret, and OpenID Connect Discovery Document are valid. If they are, you will receive a confirmation message. If one of the three is not valid, you will receive an error message.

IMPORTANT  You will not be able to proceed until you have successfully tested the configuration.

Last Update A read-only field that displays the user, date, and time of the last update.
Callback /Redirect URL

These are the URLs where the Identity Provider will send responses to authentication requests.

To configure the integration, copy these Autotask fields and paste them into the Callback /Redirect URL fields of your Identity Provider application.

LiveMobile Callback/Redirect URL (if using the legacy version of LiveMobile)

LiveMobile (v2.0 +) Callback/Redirect URL (if using the new version of LiveMobile)

Initiate Login URL

Copy this field and paste it into the Initiate Login URL field of your identity provider.

This will allow users to bypass the Autotask log in page. Once users have authenticated with the identity provider, they can click the Autotask tile to open Autotask.

Resources tab

Unique ID

If you enabled single sign-on for selected resources, click the Resources tab. All active resources in your Autotask instance are displayed.

  1. Check the names of all resources for whom single sign-on will be enabled.
  2. In the Unique ID field, enter each user's Unique ID from their account with the identity provider. This ID is generated automatically when the user's account is created in the Identity Provider's application.
  3. Click Save.

NOTE  The Unique ID is typically located in your profile in the SSO application.

Single sign-on is now enabled for all, or for selected users.

Using Autotask LiveMobile with Single Sign-On (SSO)

If you would like to use SSO with LiveMobile, you must update your SSO application to redirect to the mobile login page. Here are the steps for the three SSO applications we have tested:

NOTE  If you are using LiveMobile 1.0 on any platform, continue to use the LiveMobile Callback/Redirect URL.

Disabling Single Sign-On

You can disable individual users on the Resources tab. To disable Single sign-on for your entire local organization, do the following:

  1. In Autotask, navigate to > Admin > Organization Settings & Users > Resources/Users (HR) > Security > Single Sign-On (OpenID Connect (OIDC)).

The Single Sign-On (OpenID Connect) page opens to the General tab.

  1. Toggle the Single Sign-On is: radio button to Disabled. The page validation is removed.
  2. Optionally, delete or change the information in the remaining fields so the integration is not accidentally re-enabled.
  3. Click Save.

NOTE  When the master SSO setting is changed to Disabled, you don't have to disable individual users. Upon their next log in, these users will be prompted for two-factor authentication.