Gentrace supports single sign-on (SSO) via OpenID Connect (OIDC). We support any OIDC provider via a custom configuration, and test for Okta in particular.
When SSO enabled is enabled, all new logins and new invites for users on matching domains will need to login via SSO.
This means that:
- Existing sessions will not be required to re-login (for continuity). Existing users will be required to SSO the next time they need to login.
- Users on non-matching domains will not be required to login via SSO and will still login via email
- New users (and existing users who are not in the organization) on matching domains will be required to SSO when they accept an invite to the organization
Step 1: Connect Gentrace to your OIDC Provider
Navigate to security settings and press "Configure OIDC".
Configure the integration in your provider. You'll need to pass the Redirect URL from Gentrace to your SSO provider.
For example, here's how this looks in Okta:
Use OIDC (Web application):
Configure the redirect URL:
Then, configure the integration in Gentrace. You'll need to pass the OIDC Issuer, Client ID, and Client Secret to Gentrace.
In Okta, the issuer is the domain and protocol (eg https://<my-domain>.okta.com/). Here's how to get the Client ID and Client Secret:
And here's how that all looks in Gentrace.
Press "Continue" to test the configuration and continue to the next step if successful.
Step 2: Claim and verify your domain
In order to use Gentrace SSO, you need to claim an email domain and verify your ownership of it.
Press "Claim domain" and then enter your domain (eg gentrace.ai) and press "claim."
Then, press "verify." You'll see instructions on how to verify your domain. You'll need to add a TXT record to your DNS provider.
Please get in touch at [email protected] if you are having trouble verifying your domain.
Press "Verify Domain" to test the DNS record and continue to the next step if successful.
Please note that it may take 24 hours or more for DNS changes to propagate depending on your DNS settings.
Step 3: Enable SSO
You can now enable SSO by pressing the "Enable" button.
All users authenticating to your organization with an email address on the claimed domain will be required to login via SSO.
If you'd like to add multiple organizations to your OIDC provider, please reach out to [email protected].