Enhance security and streamline logins for your organization with Single sign-on (SSO). Add identity providers using Azure AD or OpenID Connect (OIDC), to reduce login friction, boost security, and provide a smooth, safe login experience for users across specified domains.

Note:

• Admin permissions are required to manage SSO.
• SSO is available to Atera Enterprise plan subscribers.
• SSO is available to Atera Superpower plan subscribers.
• Users without SSO are required to log in with two-factor authentication (2FA).
• Multiple providers can be added.

Prerequisites

Before enabling SSO, first set up your Azure Active Directory (AD) platform, or an Identity Provider (IdP) that supports OpenID Connect (OIDC). 

Azure AD

To set up your Azure Active Directory (AD) platform, register Atera within your Azure portal, create a client secret, add a URI, and create a user. For detailed steps on this process, see Set up Azure AD for SSO

Then follow the instructions below to add identity providers

OpenID Connect (OIDC)

To set up an Identity Provider (IdP) that supports OpenID Connect (OIDC), create user accounts within the IdP, register Atera with the IdP, and assign Atera users. For detailed steps on this process using Okta as an IdP example, see Single sign-on (SSO) with your Identity Provider

Then follow the instructions below to add identity providers

Add identity provider

After your Azure AD or IdP is set up, add your first identity provider in Atera to activate SSO for your account.

Note: You can enable SSO for multiple providers and domains.

To add an identity provider:

1. From Admin (on the sidebar), go to Users and security > Security and authentication.

The Security and authentication page appears.

2. Click the Authentication dropdown icon (). Then go to the Single sign-on (SSO) tab.

3. Click Add provider.

The Add provider window appears.

4. Under the SSO protocol dropdown, select Azure AD or OpenID Connect (OIDC).

Continue with Azure AD

Enter your Azure AD details. Then click Add provider.

• Domain: Enter the domain set up in your Azure AD account.
• Alias domain names: Enter any alternative domain names. To enter more than one, separate them using commas.
• Application (client) ID: Enter the client ID generated when registering Atera in Azure AD. See, How to generate a client ID
• Client secret: Enter the client secret generated in your Azure AD account. See, How to generate a client secret
• Redirect URL: Enter the Redirect URL you have stored within the app registration in your Azure AD account (https://auth.atera.com/login/callback). 

Continue with OpenID Connect (OIDC)

Enter your OIDC details. Then click Add provider.

• Domain names: Enter the domain set up in your IdP. To enter more than one, separate them using commas.
• Issuer URL: Enter the URL for your IdP. Ensure the URL doesn't contain 'admin.'
• Client ID: Enter the client ID generated when registering Atera with your IdP. This is the confidential identifier that the IdP assigns to your application to recognize it during the authentication process. For more info, see Get Client ID
• Client secret: Enter the client secret generated by your IdP. For more info, see Get Client Secret
• Redirect URL: Enter the redirect URL you have stored within the app registration in your IdP (https://auth.atera.com/login/callback).

Remove domain from SSO

Remove a domain from SSO by removing the identity provider. 
Note: This will require users with that domain to log in with Two-factor authentication (2FA)

To remove a domain from SSO:

1. From Admin (on the sidebar), go to Users and security > Security and authentication.

The Security and authentication page appears.

2. Click the Authentication dropdown icon (). Then go to the Single sign-on (SSO) tab.

3. Hover over the domain, and click the Remove domain icon.

A confirmation dialog appears.

4. Click Remove.

The provider is removed from SSO authentication. 

All users with the domain will be required to log in with Two-factor identification (2FA).