Single sign-on (SSO)

Introduction

The Sublime Platform integrates with OpenID Connect (OIDC), a modern single sign-on protocol, allowing you to authenticate with Sublime via Okta, OneLogin, Azure Active Directory, or any other OIDC provider.

๐Ÿ“˜

Enterprise feature

Sublime's OpenID Connect integration is available to Enterprise users.

Setup

There are two high-level steps to integrating the Sublime Platform with OpenID Connect:

  1. Obtain a set of OIDC settings, consisting of an issuer URL, a client ID, and a client secret
  2. Add these settings to Sublime

Obtain OIDC settings

The process for obtaining OIDC settings varies between OIDC identity providers, but typically involves creating an application that includes an OAuth 2.0 client ID and client secret, and configuring the appropriate redirect URI.

Okta

Below are the steps for obtaining OIDC settings via Okta.

Open the OIDC settings modal in Sublime:

  1. Log into the Sublime Platform
  2. Go to Settings > Account
  3. Under Authentication, click the button next to Open ID Connect
  4. Keep this page open, as you'll use the Initiate login URL and Redirect URI to set up an application in Okta

Create the application in Okta:

  1. Sign into your Okta admin console
  2. Go to Applications > Applications
  3. Click Create App Integration
  4. In the modal that opens, select Sign-in method of OIDC - OpenID Connect
  5. Then select Application type of Web Application
  6. Click the Next button
  7. Provide an App integration name, such as "Sublime Platform"
  8. Optionally add a logo. You can download the Sublime logo here.
  9. In the Grant type section, check Implicit (Hybrid)
  10. In Sign-in redirect URIs, paste the Redirect URI from Sublime
  11. Remove the default entry in Sign-out redirect URIs
  12. In the Controlled access section, select your preferred option
  13. Click the Save button
  14. Click the Edit button in the General Settings section
  15. In Login initiated by, select Either Okta or App
  16. In Initiate login URI, paste the Initiate login URL from Sublime
  17. Next to Application visibility, check Display application icon to users and optionally check Display application icon in the Okta Mobile app
  18. Click the Save button
  19. Note the Client ID and Client secret from the current page
  20. Click the Sign On tab
  21. Note the Issuer URL under OpenID Connect ID Token

You'll use the client ID, client secret, and issuer URL you noted in the next section

Add OIDC settings to Sublime

  1. Log into the Sublime Platform
  2. Go to Settings > Account
  3. Under Authentication, click the button next to Open ID Connect
  4. Enter your OIDC issuer URL*, client ID, and client secret**
  5. Click the Save button

Test the integration

You should now be able to sign into Sublime with your OIDC identity provider. You can verify the integration is working by either selecting the Sublime Platform application in your provider (for example, Okta), or by loading the Initiate login URL from your OIDC settings in Sublime.

๐Ÿ“˜

Matching user required

For a user to successfully sign into Sublime with your OIDC identity provider, there must already be a matching user with the same email address in Sublime.

Managing allowed authentication methods

Once you set up OpenID Connect, you can optionally restrict user signin to only OpenID Connect. If you'd like to use this option:

  1. Sign out of Sublime and verify signin via OpenID Connect is working
  2. Go to Settings > Account
  3. Under Authentication, click the button next to Allowed methods
  4. Select Users must log in with OpenID Connect SSO
  5. Click Save