Skip to main content

Getting Started with the Illumio Console

Authenticating Users with OIDC

Users with the Owner role can add external users from identity providers (IdPs) that conform to the OpenID Connect (OIDC) protocol. Although you can authenticate with any OIDC-compliant IdP, Illumio has validated the following well-known OIDC applications:

  • MS Entra ID (Azure AD)

  • Amazon Cognito

  • AuthO

  • Okta

  • SecureAuth

Integration with an OIDC-compliant application is your responsibility.

Caution

If you have multiple tenants, Illumio recommends that you use unique email domains to access each tenant on Illumio Console. Tie each tenant to a unique domain -- for example, to example.com for production and test.example.com for testing. Also, users must have their email addresses tied to these unique domains. This configuration lets Illumio Console correctly route authentication requests to the appropriate tenant based on the user's email address.

Customers using multiple tenants mapped to the same domain are advised to follow the these steps:

  • Use OIDC configuration on one tenant to automatically redirect SSO requests to the Identity Providers.

  • For additional tenants, either add them as local users or use unique email domains for them.

Configure external user authentication through an OIDC IdP

  1. Go to Access > Authentication.

  2. At the Authentication page, click the OpenID Connect (OIDC) tile.

  3. On the OIDC page, several well-known identity providers are shown. Alternatively, you can use a different OIDC-compliant provider not listed here. Click the provider tile to see configuration information from that provider's documentation set.

    Alternatively, you can follow Illumio-specific configuration guidelines for these IdPs in the following topics:

  4. Follow the configuration steps for your selected provider, either by following the information in the Illumio-specific topics or from the general information in that provider's documentation. Make sure to retain the Client ID and Issuer URL generated by whichever procedure you follow.

  5. After you finish the external configuration at the OIDC-compliant IdP, enter the Client ID and Issuer URL provided by the IdP during your configuration procedure.

    Some IdPs use terms that are not obvious matches to the parameters you enter at the Illumio Console OIDC page. The following table matches the configuration terms used by some popular IdPs with their equivalent Illumio OIDC parameter settings.

    IdP Provider

    Client ID Equivalent

    Issuer URL Equivalent

    MS Entra ID

    Application (client) ID

    Directory (tenant) ID, used in: https://login.microsoftonline.com/<tenant_id>/v2.0

    Amazon Cognito

    Client ID

    Token signing key URL, minus trailing /.well-known/jwks.json

    AuthO

    Client ID

    The Domain value prepended with "https://" and appended with ".us.auth0.com"

    SecureAuth

    Client ID

    Issuer URL

    Okta

    Client ID

    Issuer ID value prepended with "https://"

  6. Click Enable IdP Logout if you want users to be also logged out of their identity provider when they log out of Illumio Console.

  7. Click Save.