Identity Providers
Configure single sign-on (SSO) identity providers to allow users to authenticate to Prism using their existing corporate credentials. Prism supports Google, Microsoft, and custom OIDC (OpenID Connect) providers.
Prerequisites
- You must have administrator access to the identity provider you want to configure (e.g., Google Workspace Admin, Azure AD Admin).
Overview
Identity providers enable SSO, allowing users to log in to Prism using their existing accounts from services like Google Workspace or Microsoft 365. This eliminates the need for users to manage separate Prism credentials and centralizes authentication through your organization's identity provider.
The Identity Providers page is organized into tabs:
| Tab | Description | Link |
|---|---|---|
| Google IdP | Configure Google as an SSO identity provider | Google OAuth |
| Microsoft IdP | Configure Microsoft as an SSO identity provider | Microsoft OAuth |
| Custom IdP | Configure a custom OIDC identity provider | Custom OIDC |
How SSO Works in Prism
- A user navigates to the Prism login page.
- The user clicks the SSO button for their identity provider (e.g., "Sign in with Google").
- The user is redirected to the identity provider's login page.
- The user authenticates with their corporate credentials.
- The identity provider redirects the user back to Prism with an authentication token.
- Prism validates the token and creates or matches a user session.
- The user is logged in to Prism.
Choosing an Identity Provider
| Provider | Best For | Protocol |
|---|---|---|
| Organizations using Google Workspace | OAuth 2.0 / OIDC | |
| Microsoft | Organizations using Microsoft 365 / Azure AD | OAuth 2.0 / OIDC |
| Custom OIDC | Any OIDC-compliant provider (Okta, Auth0, OneLogin, etc.) | OIDC |
tip
You can configure multiple identity providers simultaneously. Users will see all configured providers as login options on the Prism login page.
Google OAuth
Configure Google as a single sign-on (SSO) identity provider, allowing users to log in to Prism using their Google Workspace accounts.
Prerequisites
- You must have administrator access to your Google Workspace / Google Cloud Console.
Step-by-Step Guide
Part 1: Configure Google Cloud Console
Before configuring Prism, you need to create OAuth credentials in the Google Cloud Console:
- Go to the Google Cloud Console.
- Select or create a project for your Prism integration.
- Navigate to APIs & Services > Credentials.
- Click Create Credentials > OAuth client ID.
- Select Web application as the application type.
- Add the Prism callback URL as an authorized redirect URI. This URL is provided on the Prism Identity Providers configuration page.
- Click Create.
- Copy the Client ID and Client Secret -- you will need these in the next step.
warning
Keep the Client Secret secure. It should only be entered in the Prism configuration and never shared or stored in plain text.
Part 2: Configure Prism
- Navigate to Admin Portal > Identity Providers from the sidebar.
- Click the Google IdP tab.
- Enter the following fields:
- Display Name -- Enter a unique name for this Google IdP. This generates an alias and updates the Redirect URI shown above the form.
- Client ID -- Paste the Client ID from the Google Cloud Console.
- Client Secret -- Paste the Client Secret from the Google Cloud Console.
- Copy the generated Redirect URI and add it to your Google Cloud Console's authorized redirect URIs if you haven't already.
- Click Save to save the configuration.
- Test the integration by logging out and attempting to sign in with Google.
Field Reference
| Field | Type | Required | Description |
|---|---|---|---|
| Display Name | Text | Yes | A unique name for this Google IdP. Used to generate the alias and Redirect URI (e.g., a display name of "google-test" produces a redirect URI ending in /broker/google-test/endpoint). A numeric suffix may be added if the alias already exists. |
| Client ID | Text | Yes | The OAuth 2.0 Client ID obtained from the Google Cloud Console. Identifies your Prism instance to Google. |
| Client Secret | Text | Yes | The OAuth 2.0 Client Secret obtained from the Google Cloud Console. Used to securely authenticate your Prism instance with Google. |
What Happens Next
After configuring Google OAuth:
- A Sign in with Google button appears on the Prism login page.
- Users who belong to your Google Workspace domain can authenticate using their Google credentials.
tip
After enabling Google SSO, you can still use username/password authentication for accounts that are not linked to Google. SSO is an additional login method, not a replacement.
Troubleshooting
| Issue | Solution |
|---|---|
| Redirect URI mismatch | Ensure the callback URL in the Google Cloud Console matches exactly what Prism provides. |
| Invalid Client ID/Secret | Regenerate the credentials in the Google Cloud Console and re-enter them in Prism. |
| Users cannot see the Google login button | Verify that the configuration was saved successfully and clear your browser cache. |
| Login fails with "access denied" | Check that the user's Google account is part of the allowed domain in your Google Workspace settings. |
Microsoft OAuth
Configure Microsoft as a single sign-on (SSO) identity provider, allowing users to log in to Prism using their Microsoft 365 or Azure Active Directory accounts.
Prerequisites
- You must have administrator access to your Azure Active Directory (Azure AD) / Microsoft Entra ID tenant.
Step-by-Step Guide
Part 1: Configure Azure AD
Before configuring Prism, you need to register an application in Azure AD:
- Go to the Azure Portal.
- Navigate to Azure Active Directory > App registrations.
- Click New registration.
- Enter a name for the application (e.g., "Prism SSO").
- Under Redirect URI, select Web and enter the Prism callback URL provided on the Prism Identity Providers configuration page.
- Click Register.
- On the app's overview page, copy the Application (client) ID.
- Navigate to Certificates & secrets > New client secret.
- Add a description and select an expiration period.
- Click Add and copy the Client Secret value immediately (it is only shown once).
warning
Copy the Client Secret value immediately after creation. Azure AD only shows it once. If you lose it, you must create a new secret.
Part 2: Configure Prism
- Navigate to Admin Portal > Identity Providers from the sidebar.
- Click the Microsoft IdP tab.
- Enter the following fields:
- Display Name -- Enter a unique name for this Microsoft IdP. This generates an alias and updates the Redirect URI shown above the form.
- Client ID -- Paste the Application (client) ID from Azure AD.
- Client Secret -- Paste the Client Secret value from Azure AD.
- Copy the generated Redirect URI and add it to your Azure AD app registration's redirect URIs if you haven't already.
- Click Save to save the configuration.
- Test the integration by logging out and attempting to sign in with Microsoft.
Field Reference
| Field | Type | Required | Description |
|---|---|---|---|
| Display Name | Text | Yes | A unique name for this Microsoft IdP. Used to generate the alias and Redirect URI (e.g., a display name of "microsoft-prod" produces a redirect URI ending in /broker/microsoft-prod/endpoint). A numeric suffix may be added if the alias already exists. |
| Client ID | Text | Yes | The Application (client) ID obtained from Azure AD. Identifies your Prism instance to Microsoft. |
| Client Secret | Text | Yes | The Client Secret value obtained from Azure AD. Used to securely authenticate your Prism instance with Microsoft. |
What Happens Next
After configuring Microsoft OAuth:
- A Sign in with Microsoft button appears on the Prism login page.
- Users who belong to your Azure AD tenant can authenticate using their Microsoft credentials.
Troubleshooting
| Issue | Solution |
|---|---|
| Redirect URI mismatch | Ensure the callback URL in Azure AD matches exactly what Prism provides. |
| Invalid Client ID/Secret | Verify the Application (client) ID and regenerate the client secret in Azure AD if needed. |
| Client secret expired | Azure AD client secrets have expiration dates. Create a new secret and update the configuration in Prism. |
| Users cannot see the Microsoft login button | Verify that the configuration was saved successfully and clear your browser cache. |
| Login fails with "consent required" | Ensure admin consent has been granted for the required scopes in Azure AD. |
Custom OIDC Provider
Configure a custom OpenID Connect (OIDC) identity provider for SSO. This option supports any OIDC-compliant identity provider, including Okta, Auth0, OneLogin, Ping Identity, and others.
Prerequisites
- You must have administrator access to your OIDC identity provider.
- You must know the OIDC endpoints (issuer, authorization URL, token URL, UserInfo URL) for your provider.
Step-by-Step Guide
Part 1: Configure Your Identity Provider
Before configuring Prism, you need to create an OIDC application/client in your identity provider:
- Log in to your identity provider's admin console.
- Create a new OIDC application or client.
- Set the application type to Web.
- Add the Prism callback URL as an allowed redirect URI. This URL is provided on the Prism Identity Providers configuration page.
- Note the following values from your identity provider:
- Issuer -- The OIDC Issuer URL.
- Authorization URL -- The endpoint where users are redirected to authenticate.
- Token URL -- The endpoint used to exchange authorization codes for tokens.
- UserInfo URL -- The endpoint used to retrieve user profile information.
- Logout URL (optional) -- The endpoint used to end the IdP session on sign-out.
- Client ID -- The unique identifier for the OIDC application.
- Client Secret -- The secret key for the OIDC application.
Part 2: Configure Prism
- Navigate to Admin Portal > Identity Providers from the sidebar.
- Click the Custom IdP tab.
- Enter the following fields:
- Display Name -- Enter a unique name for this Custom IdP. This generates an alias and updates the Redirect URI shown above the form.
- Client ID -- The Client ID from your identity provider.
- Client Secret -- The Client Secret from your identity provider.
- Issuer -- The OIDC Issuer URL of your identity provider.
- Authorization URL -- The identity provider's authorization endpoint.
- Token URL -- The identity provider's token endpoint.
- UserInfo URL -- The identity provider's UserInfo endpoint.
- Logout URL (optional) -- The identity provider's logout endpoint.
- Copy the generated Redirect URI and add it to your identity provider's allowed redirect URIs if you haven't already.
- Click Validate to verify the configuration.
- Click Create to save the configuration.
- Test the integration by logging out and attempting to sign in with the custom provider.
Field Reference
| Field | Type | Required | Description |
|---|---|---|---|
| Display Name | Text | Yes | A unique name for this Custom IdP. Used to generate the alias and Redirect URI (e.g., a display name of "custom" produces a redirect URI ending in /broker/custom/endpoint). A numeric suffix may be added if the alias already exists. |
| Client ID | Text | Yes | The unique identifier for the OIDC application registered in your identity provider. |
| Client Secret | Text | Yes | The secret key associated with the OIDC application. Required for new configurations. |
| Issuer | URL | Yes | The OIDC Issuer URL of your identity provider (e.g., https://your-provider.com). |
| Authorization URL | URL | Yes | The OIDC authorization endpoint of your identity provider. Users are redirected here to authenticate. |
| Token URL | URL | Yes | The OIDC token endpoint used to exchange authorization codes for access and ID tokens. |
| UserInfo URL | URL | Yes | The OIDC UserInfo endpoint used to retrieve user profile information. |
| Logout URL | URL | No | The OIDC logout endpoint. If provided, users are redirected here on sign-out to end the IdP session. |
info
The exact names and locations of these fields vary by identity provider. Consult your provider's documentation for specific setup instructions.
Common Provider Examples
Okta
| Field | Example Value |
|---|---|
| Issuer | https://your-org.okta.com/oauth2/default |
| Authorization URL | https://your-org.okta.com/oauth2/default/v1/authorize |
| Token URL | https://your-org.okta.com/oauth2/default/v1/token |
| UserInfo URL | https://your-org.okta.com/oauth2/default/v1/userinfo |
| Logout URL | https://your-org.okta.com/oauth2/default/v1/logout |
Auth0
| Field | Example Value |
|---|---|
| Issuer | https://your-domain.auth0.com/ |
| Authorization URL | https://your-domain.auth0.com/authorize |
| Token URL | https://your-domain.auth0.com/oauth/token |
| UserInfo URL | https://your-domain.auth0.com/userinfo |
| Logout URL | https://your-domain.auth0.com/v2/logout |
OneLogin
| Field | Example Value |
|---|---|
| Issuer | https://your-domain.onelogin.com/oidc/2 |
| Authorization URL | https://your-domain.onelogin.com/oidc/2/auth |
| Token URL | https://your-domain.onelogin.com/oidc/2/token |
| UserInfo URL | https://your-domain.onelogin.com/oidc/2/me |
| Logout URL | https://your-domain.onelogin.com/oidc/2/logout |
What Happens Next
After configuring a custom OIDC provider:
- A new SSO login button appears on the Prism login page.
- Users who have accounts in the configured identity provider can authenticate using their existing credentials.
Troubleshooting
| Issue | Solution |
|---|---|
| Redirect URI mismatch | Ensure the callback URL in your identity provider matches exactly what Prism provides. |
| Invalid endpoints | Verify the Authorization URL and Token URL are correct and accessible. |
| Scope errors | Check that your identity provider supports the requested scopes. Try openid profile email as a baseline. |
| Token validation fails | Ensure the Client ID and Client Secret are correct and the application is active in your identity provider. |
warning
Keep the Client Secret secure. It should only be entered in the Prism configuration and never shared, logged, or stored in plain text.