SSO with OpenID Connect

OX Security supports Single Sign-On (SSO) for secure authentication and centralized access control. The connection allows users to sign in to OX Security with their corporate credentials managed by an Identity Provider (IdP).

OX Security supports:

• Auto-provisioning: Automatically creates user accounts at first login.

• App-initiated login: Starts login directly from the OX sign-in page.

• Group-based roles and scopes: Assigns OX permissions based on IdP groups.

When auto-provisioning is ON:

• OX automatically creates a user account when someone signs in through the IdP.

• Account details (name, email, groups) come directly from the IdP.

• You do not need to invite users manually.

When auto-provisioning is OFF:

• OX does not create accounts automatically.

• You must invite users manually before they can access OX.

Prerequisites

• OX and IdP admin permissions

• A decision on enabling optional features:

  • App-initiated login

  • Auto-provisioning for roles

  • Auto-provisioning for scopes

• Access to your IdP’s OIDC metadata and ability to create a Client ID and Client Secret

Process steps

1. Get the OX inputs for your IdP [OX]

2. Register the application [IdP]

3. Configure the IdP settings [IdP]

4. Configure SSO [OX]

5. Enable IdP app-initiated login and visibility [OX - IdP]

6. Configure auto-provisioning for roles [OX - IdP]

7. Configure Auto-Provisioning for Scopes [OX - IdP]

8. Test the sign-in [OX]

9. Troubleshooting

Step 1: Get OX Inputs for your IdP [OX]

The inputs are specific for your IdP and organization.

1. To get the correct values from OX, go to Settings > Login and click the IdP icon. The Configuration screen opens.

   
2. Click OIDC SSO SETUP INSTRUCTIONS.

3. Find the parameters, copy the values, and save them for use in Step 3:

   • Redirect URI (Callback URL)

   • Initiate login URI

Step 2: Register the application [IdP]

1. Log in to your IdP Admin console.

2. Go to Applications > Create App Integration (or equivalent).

3. Select OIDC 2.0 as the sign-in method.

4. Choose Web Application as application type.

5. Set the Sign-in redirect URI to: https://auth.app.ox.security/login/callback

6. Save to generate the Client ID and Client Secret.

Step 3: Configure the IdP settings [IdP]

1. In your IdP, open the Admin console.

2. Configure the Redirect URI (Callback URL): Use the value you saved in Step 1.

3. Copy these values from your IdP and save them for use in Step 4.

   • OIDC Domain

   • Client ID

   • Client Secret

Step 4: Configure SSO [OX]

1. In OX, go to Settings > Login and click the relevant IdP icon. The Configuration screen opens.

   
2. Enter the details collected from your IdP in Step 3.

   • OIDC Domain

   • Client ID

   • Client Secret

3. Click Save.

   Auto-provisioning is enabled by default. The feature allows OX to create user accounts automatically upon first sign-in. To disable it, deactivate the toggle.

Optional Step 5: Enable IdP app-initiated login and visibility [OX-IdP]

This step allows users to start their login directly from your IdP dashboard.

1. In your IdP, open General settings for the OIDC app.

2. Add the Initiate login URI you saved in Step 1.

3. Click Save.

Optional Step 6: Configure auto-provisioning for roles [OX-IdP]

This step enables the automatic assignment of OX Security roles based on user groups in your IdP.

1. Each role group requires a prefix. The default is: XApp-. To change the prefix in OX, go to Settings > Login > [IdP icon] and enter a different prefix.

   
2. Create IdP role groups: In your IdP, go to Directory > Groups and create groups using these exact names (case-sensitive) for each OX role you want to sync:

   • OXApp-Admin

   • OXApp-Developer

   • OXApp-Dev Manager/Security Champion

   • OXApp-Policy Manager

   • OXApp-Read Only

3. Map group attributes: In your IdP, ensure you have groups attribute mapping enabled.

4. Enable sync: In OX, go to Settings > Login > [IdP icon] and enable Sync OX Group Roles using the prefix you selected.

   
5. Click Save.

6. In the IdP, assign users who need that specific scope access as members of the corresponding group.

Optional Step 7: Configure Auto-Provisioning for Scopes [OX-IdP]

This step enables the automatic assignment of granular access scopes based on user groups in your IdP. There is no prefix required for Scopes in OX; however, you do need to create a Scopes group and assign an owner.

1. In OX, go to the Applications page, and select an app from the list. From the header, click the Assign Owner icon.

   
2. In the Assign Application Owners screen:

   • Select a role.

   • App New Owner: Enter a descriptive name.

   • Email: Enter an email. The email can be a functional address.

   
3. Click + ADD. This generates the SSO Group String. Save this string to paste into the IdP.

   
4. Create scope groups in the IdP: In your IdP, go to Directory > Groups and create scope groups using these specific formats. - App Owner Scope: OXAppOwnerScope-<SCOPE_NAME>-id:<APP_OWNER_ID> Example: OXAppOwnerScope-DevOps-id:[email protected] - Tag Scope: OXTagScope-<TAG_NAME>-id:<TAG_ID> Example: OXTagScope-app-id:acme-app

5. Assign members in the IdP: In the IdP, assign members to the relevant scope groups.

6. Enable sync in OX: In OX, go to Settings > Login > [Idp] and enable the toggle Sync OX Group Scopes. Generally select the Entire Organization.

   
7. Click Save.

Step 8: Test the Sign-In [OX]

1. In OX, log out then log in again using your SSO.

2. Verify that the configured roles and scopes from your IdP are applied correctly.

Your OX organization is now connected to your IdP. Users can sign in securely with corporate credentials, and applied roles and scopes are based on the IdP configuration.

Troubleshooting

The table lists some possible issues and recommended actions.