Before you begin
To complete this guide, you’ll need:- A ConductorOne enrollment code (if you don’t have an enrollment code, contact support@conductorone.com)
- Ability to create an SSO app in the IdP (if using Okta, OneLogin, or JumpCloud)
Step 1: Register your ConductorOne domain
In the Domain field, enter the domain you want to use for your ConductorOne instance.For example, if you work at Acme Co., enter
acmeco to create an acmeco.conductor.one domain.In the Invite code field, paste in the invite code you received from ConductorOne. The code is case-sensitive.
Step 2: Authenticate with your SSO provider
Jump to the instructions for your SSO provider:Authenticate with Google
When prompted to login, click your corporate account and continue logging in. Google will now re-authenticate you, if needed, and log you in to ConductorOne.Authenticate with Okta
Step 1: Add the ConductorOne app in Okta
First, add the ConductorOne app to Okta.In a new browser tab, navigate to the Okta admin console and click Applications > Applications > Browse App Catalog.
Step 2: Assign users to the Okta app
Next, assign the ConductorOne app to an Okta user or group so the user or group can access and use the app.Click Save and Go Back. The Assigned button for the user or group is disabled to indicate the app integration is assigned.
Step 3: Input OAuth credentials into Okta ConductorOne app
In this step, you’ll configure the SSO settings for the ConductorOne app in Okta. To complete this step you’ll move back and forth between your Okta tab and the ConductorOne registration tab.In Okta, click Applications > Applications > ConductorOne to return to the new ConductorOne application’s details screen.
Copy your Okta domain (such as
acmeco.okta.com) from the browser’s address bar and paste your Okta domain into the Okta domain field in ConductorOne.In Okta, click the Sign On tab. Copy the ConductorOne app’s client ID by clicking the Copy to clipboard icon.
In Okta, copy the ConductorOne app’s client secret by clicking the Copy to clipboard icon, then paste the client secret into the Client secret field in ConductorOne.
Authenticate with OneLogin
Step 1: Create an OIDC app in OneLogin
In a new browser tab, navigate to the OneLogin administration portal and click Apps.
Enter the following information in the specified fields:
- Display name: ConductorOne
- (Optional) Logo:
On the Configuration tab, fill out the specified fields as follows:
- Login Url: Leave this field blank
- Redirect URI’s: Enter
https://accounts.conductor.one/auth/callback - Post Logout Redirect URIs: Leave this field blank
Step 2: Configure the SSO settings on the OneLogin ConductorOne app
In this step, you’ll configure the SSO settings for the ConductorOne app in OneLogin. To complete this step you’ll move back and forth between your OneLogin tab and the ConductorOne registration tab.In OneLogin, copy your OneLogin domain (such as
acmeco.onelogin.com) from the browser’s address bar.Step 3: Assign users to the OneLogin ConductorOne app
Lastly, give your colleagues access to ConductorOne via OneLogin SSO by adding the new ConductorOne app to one or more OneLogin user groups.Select the existing user group you’d like to give access to ConductorOne (or create a new user group by clicking the Create button).
Authenticate with JumpCloud
Step 1: Create an OIDC app in JumpCloud
In a new browser tab, navigate to the JumpCloud Admin Portal and click User authentication > SSO.
Enter the following information in the specified fields:
- Display Label: ConductorOne
- (Optional) Logo:
On the SSO tab, fill out the specified fields as follows:
- Redirect URIs: Enter
https://accounts.conductor.one/auth/callback - Client Authentication Type: Client Secret POST
- Login URL:
https://YOUR_DOMAIN.conductor.one/login?sso_operation=initiate_login(use the ConductorOne domain you chose in Step 1)
In the User Attribute Mapping section, enter
email in the Service Provider Attribute Name field and select email in the JumpCloud Attribute Name field, then click Add Attribute.Step 2: Configure OIDC settings on the JumpCloud ConductorOne app
In this step, you’ll configure the SSO settings for the ConductorOne app in OneLogin. To complete this step you’ll move back and forth between your JumpCloud tab and the ConductorOne registration tab.In JumpCloud, copy the ConductorOne app’s client secret and paste it into the Client secret field in ConductorOne.
Step 3: Grant users access and login
Lastly, give your colleagues access to ConductorOne via JumpCloud SSO by adding the new ConductorOne app to a JumpCloud user group.Select the existing user group you’d like to give access to ConductorOne (or create a new user group by clicking the Create button).
Authenticate with Microsoft
Review the permissions requested by ConductorOne. These permissions are needed to establish the SSO link between Microsoft and ConductorOne.
- If you have the correct permission level in Microsoft, check the box to Consent on behalf of your organization. This enables the requested ConductorOne permissions for all users in your organization.
- If you do not have the permissions needed to check the box, before other users attempt to sign into ConductorOne using SSO, direct your Microsoft administrator to manage permissions for the ConductorOne application in by navigating to Enterprise applications > ConductorOne SSO > Permissions and clicking Grant admin consent for ….
Authenticate with PingOne
Step 1: Create an OIDC app in PingOne
In a new browser tab, log into your PingOne Administration console and navigate to Applications > Applications.
Enter the following information in the specified fields:
- Application name: ConductorOne
- (Optional) Logo:
On the Configuration tab, click Edit and fill out the specified fields as follows:
- Token Endpoint Authentication Method: Client Secret Post
- Redirect URI’s: Enter
https://accounts.conductor.one/auth/callback - Initiate Login URI: Enter
https://your_domain.conductor.one/login
Step 2: Configure the SSO settings on the OneLogin ConductorOne app
Back in the ConductorOne setup tab, paste the Client ID, Client secret, and Environment ID into the form at the right of the page.
Authenticate with generic OpenID Connect
Step 1: Create an OIDC app in your identity provider
In a new browser tab, log into your identity provider and create a new OIDC application.
- Configure the redirect URI to use
https://accounts.conductor.one/auth/callback. - Ensure the authorization code flow is enabled.
Gather OIDC credentials to pass to ConductorOne:
- Issuer URL (the base URL of your OIDC provider)
- Client ID
- Client secret
- Optional: Additional scopes beyond openid, profile, and email
Back in the ConductorOne setup tab, paste the Issuer URL, Client ID, Client secret, and any OIDC scopes into the relevant fields in the form at the right of the page.