Skip to main content

Configure generic SSO

Learn how to configure generic SSO. To use a generic configuration to set up your SSO provider, you must add Snow Atlas as an app. After you add the Snow Atlas app in your SSO provider, you must retrieve values from the app configuration that you require to set up your SSO provider in Snow Atlas.

Add Snow Atlas as SSO app

As a minimum, you must configure the generic SSO application registration with the following:

  1. Configure the authorization code flow with Proof for Key Code Exchange (PKCE).

    note

    In most providers, it is sufficient to select the authorization code flow, if there is no option to select PKCE.

  2. Set the redirect URL to https://apex.snowsoftware.io/idp/api/connect/callback/pkce/generic.

    tip

    The redirect URL is sometimes referred to as the callback URL.

  3. Configure consent for the scopes defined in Application permissions.

    For more information, see Application permissions.

If your SSO provider cannot be configured with these options, it cannot be supported with the generic SSO configuration in Snow Atlas.

Find values to set up generic SSO configuration in Snow Atlas

You require the relevant IssuerClient ID and Client secret for your Snow Atlas SSO app integration.

This procedure identifies the values that you need to retrieve and copy from your SSO provider interface for the application registration that you create. You must enter the values in Snow Atlas to add your SSO provider. For more information, see Add SSO providers.

  1. In Snow Atlas, in Add single sign-on, under Setup, enter the name of your SSO provider in Provider name.

  2. In your SSO provider interface, go to the application registration that you have created for Snow Atlas.

  3. Copy the value for Client ID.

    Use the value as the Client ID when you set up the generic configuration as your SSO.

  4. Copy the value for Client secret.

    Use the value as the Client secret when you set up the generic configuration as your SSO.

  5. Copy the value for Authority or Issuer. The value required is a URL where Snow Atlas can append the /.well-known/openid-configuration path, to resolve the OpenID metadata discovery document.

    Use the value as the Issuer when you set up the generic configuration as your SSO.

  6. Optional: Determine the unique user identifier claim that you want Snow Atlas to map users to.

    tip

    The unique user identifier claim is often the sub (subject) claim. The sub claim is also the default if you do not enter a value.

    Use the value as the User ID claim name when you set up the generic configuration as your SSO.

    caution

    If you use a non-unique identifier or an identifier that is reused over time, this is a security risk. Refer to your SSO provider documentation to ensure that the claim name is suitable if you choose to override the default.