SSO Configuration
      Back to home
      1. Knowledge Base Home
      2. SSO
      3. SSO Configuration

      Single Sign-On (SSO) Setup in 6clicks

      6clicks SSO is designed to work with a select few Identity Providers (IdP). These articles will provide specific setup steps for Azure AD, Okta, and Ping Identity. The setup requires the following steps:

      1. 6clicks SSO setup - retrieve the necessary settings for your IdP.

      2. Identity Provider - create an OIDC application with the 6clicks settings for your tenant.

        1. Okta

        2. Azure

      3. Create groups in the Identity provider to match 6clicks roles and assign them to the application.

      4. Finish the SSO setup in 6clicks.

      This should, where possible, be completed in one session to avoid errors. 

      Each Identity Provider handles SSO via Open ID Connect (OIDC) a little differently. The setup instructions provided below are only one way to set up SSO at each IdP, however, depending on how your organization is architected, there are alternate ways. To summarise two things are required:

      1. The user is authorized to access the 6Clicks OIDC SPA setup in the Identity Provider.

      2. 6clicks roles are included in the ID Token via a custom scope.

      6clicks SSO Retrieve Settings

      Sign in to 6clicks with a user account with Admin, Administrator, and Single Sign-on permissions: User and Role Permissions (6clicks.com). Navigate to Administration → Single Sign-On. The callback URIs, logout URI, and 6clicks roles are needed for you to set up the 6Clicks application in your Identity Provider.

      Identity Provider Setup.

      Head over to your Identity Provider and follow the setup instructions.

      Finish 6clicks SSO Setup.

      Within 6clicks SSO Setup, the Issuer URI, Client ID, and Domain values need to be added:

      • Issuer URI: should come from your Identity Provider.

      • Client ID: is also known as the application (app) ID and comes from your Identity Provider.

      • Domain: this is the domain used by your organization. Any user with an email address with this domain will be forced to use SSO.

      If your organization has multiple domains, you will need to enter them in the Domain box below. To add multiple domains please enter the domain name and press enter. 

      If your organization has multiple domains, please enter them in the Domain box below. To add multiple domains please enter the domain name and press enter. 

      • Check “Include "groups" scope in Authentication Request to Authorization Endpoint” if using a 'groups' scope.

        • Okta Org servers use a ‘groups’ scope, please check this box.

        • Azure AD, Ping, and Okta custom servers do not use a ‘groups' scope by default, so leave this unchecked unless you know your particular setup requires a 'groups’ scope.

      172e4d24-4575-437a-90ae-aabf6a9be14a