Integrate Deploy with Digital.ai Platform Identity Service

Use the Digital.ai Identity Service to implement single sign-on (SSO) for your users—recommended for sites that have OIDC or SAML compliant IDPs.

Integrate your OIDC or SAML compliant IDP with Digital.ai Identity Service and later integrate Digital.ai Deploy with the Digital.ai Identity Service.

• To simplify the SSO configuration and customer onboarding processes, Digital.ai has introduced its own Digital.ai Identity Service that supports multiple protocols.
• We recommend you integrate Digital.ai Deploy with external IDPs via the Digital.ai Identity Service as it supports multiple protocols, configuration changes with almost nil downtime, and also supports user-friendly workflows for common tasks.

For more information, see:

• Digital.ai Platform Account Administrator Handbook to quickly understand what it takes to integrate with the Digital.ai Platform Identity Service.
• Digital.ai Platform Documentation to learn more about the Digital.ai Platform Identity Service.

Step 1—Get Digital.ai Deploy URL

As a first step, you must have the Digital.ai Deploy installed. Once installed, gather and keep the Deploy URL handy.

Step 2—Create Your Digital.ai Platform Account

You must contact the Digital.ai Support team to get this account created.

For more information, see Account Setup.

Step 3—Add Deploy as an OIDC Client in the Digital.ai Platform Identity Service

1. Log in to the Digital.ai Platform.
2. In the left navigation, click Applications. Alternatively, you can click the Create application button on the Platform Overview page.
3. In Select application, choose Deploy from the list.
4. Add a valid redirect URI in the URL field.

<deploy url>/oidc-login

5. Optionally, you can enter details in the advanced configuration and the Mappers sections and click Next.
6. In Deploy configuration file, you can view the configuration file for this application. Copy and save this information when configuring Deploy.
7. Click complete.

For more information, see Add OIDC client.

Step 4—Connect Digital.ai Deploy to the Digital.ai Platform

At the end of creating an application, a summary of the application and instance details are displayed. In Deploy configuration file, you can view the configuration file for this application. Copy and save this information for configuring your application (as mentioned in the previous section).

Note: Digital.ai Deploy has no direct support for SAML. However, you can integrate Deploy as an OIDC client with the Digital.ai Platform Identity Service and in turn connect the Digital.ai Platform Identity Service to your SAML-compliant IDP.

Step 5—Connect Digital.ai Platform to Your Identity Provider (OIDC or SAML)

This step is optional until you wish to setup SSO via your corporate Identity provider to Digital.ai application. You can continue logging into Digital.ai using your locally manged accounts until you are ready for SSO setup.

Before you begin, you need to retrieve the following details from the Azure AD tenant you want to use to establish this OIDC or SAML SSO connection. You can find this information in your Microsoft Azure account by going to Manage Azure Active Directory > App registrations and opening the appropriate application (tenant). And retrieve the following details from the Okta tenant you want to use to establish this OIDC or SAML SSO connection. You can find this information in your Okta account by going to Applications and opening the appropriate application (tenant).

• OIDC

  • Client ID
  • Client secret
  • .well-known endpoint - In Azure AD this is known as OpenID Connect metadata and it looks like this: https://login.microsoftonline.com/\tenantName\/.well-known/openid-configuration

• SAML

  • Metadata URL

For more information, see:

• Connecting to Azure AD for SSO
• Connecting to Okta for SSO

In case you use a different OIDC or SAML-compliant IDP, refer to these docs and follow the same process with tool-specific changes as required.

JVM Sites

Do this on the Digital.ai Deploy server to integrate Release as on OIDC client with the Digital.ai Identity Service.

1. Install and enable the OIDC Authentication plugin, modify the Default configuration property to OIDC in the XL_DEPLOY_SERVER_HOME/centralConfiguration/deploy-server.yaml file.

2. To configure the OIDC Authentication plugin, add the following YAML code snippet to the XL_DEPLOY_SERVER_HOME/centralConfiguration/deploy-oidc.yaml file.

   deploy.security:
     auth:
       providers:
        oidc:
         loginMethodDescription:
         clientId: "<Your client ID>"
         clientSecret: "<Your client secret>"
         issuer: "<Enter the Open ID Provider Issuer>" # for example "https://identity.staging.digital.ai/auth/realms/demoaccount"
         redirectUri: "<deploy url>/login/external-login"
         postLogoutRedirectUri: "<deploy url>/login/external-login"
         rolesClaimName: "realm_access.roles"
         userNameClaimName: preferred_username

   The above configuration automatically fetches the required configuration from the discovery endpoint.

   For more information, see Configure Digital.ai Deploy for OIDC Authentication.

Kubernetes Sites

See Select the Type of OIDC Configuration.

Step 6—Log on to Deploy and Add the Admin User

Log on to Deploy and add the local Admin User.

1. Log on to Deploy as an Administrator.
2. Create a role named Admin and add the Digital.ai Platform's admin user to that role.
3. Assign Admin permissions to this Admin role you created.

For more information, see Configure Roles and Configure Permissions.

Your SSO setup is complete.