Integrate Release with Digital.ai Platform Identity Service

Use the Digital.ai Identity Service to implement single sign-on (SSO) for your users—recommended for sites that have OIDC or SAML compliant IDPs.

Integrate your OIDC or SAML compliant IDP with Digital.ai Identity Service and later integrate Digital.ai Release with the Digital.ai Identity Service.

• To simplify the SSO configuration and customer onboarding processes, Digital.ai has introduced its own Digital.ai Identity Service that supports multiple protocols.
• We recommend you integrate Digital.ai Release with external IDPs via the Digital.ai Identity Service as it supports multiple protocols, configuration changes with almost nil downtime, and also supports user-friendly workflows for common tasks.

For more information, see:

• Digital.ai Platform Account Administrator Handbook to quickly understand what it takes to integrate with the Digital.ai Platform Identity Service.
• Digital.ai Platform Documentation to learn more about the Digital.ai Platform Identity Service.

Step 1—Get Digital.ai Release URL

As a first step, you must have the Digital.ai Release installed. Once installed, gather and keep the Release URL handy.

Step 2—Create Your Digital.ai Platform Account

You must contact the Digital.ai Support team to get this account created.

For more information, see Account Setup.

Step 3—Add Release as an OIDC Client in the Digital.ai Platform Identity Service

1. Log in to the Digital.ai Platform.
2. In the left navigation, click Applications. Alternatively, you can click the Create application button on the Platform Overview page.
3. In Select application, choose Release from the list.
4. Add a valid redirect URI in the URL field.

<release url>/oidc-login

5. Optionally, you can enter details in the advanced configuration and the Mappers sections and click Next.
6. In Release configuration file, you can view the configuration file for this application. Copy and save this information when configuring Release.
7. Click complete.

For more information, see Add OIDC client.

Step 4—Connect Digital.ai Release to the Digital.ai Platform

At the end of creating an application, a summary of the application and instance details are displayed. In Release configuration file, you can view the configuration file for this application. Copy and save this information for configuring your application (as mentioned in the previous section).

Note: Digital.ai Release has no direct support for SAML. However, you can integrate Release as an OIDC client with the Digital.ai Platform Identity Service and in turn connect the Digital.ai Platform Identity Service to your SAML-compliant IDP.

Step 5—Connect Digital.ai Platform to Your Identity Provider (OIDC or SAML)

This step is optional until you wish to setup SSO via your corporate Identity provider to Digital.ai application. You can continue logging into Digital.ai using your locally manged accounts until you are ready for SSO setup.

Before you begin, you need to retrieve the following details from the Azure AD tenant you want to use to establish this OIDC or SAML SSO connection. You can find this information in your Microsoft Azure account by going to Manage Azure Active Directory > App registrations and opening the appropriate application (tenant). And retrieve the following details from the Okta tenant you want to use to establish this OIDC or SAML SSO connection. You can find this information in your Okta account by going to Applications and opening the appropriate application (tenant).

• OIDC

  • Client ID
  • Client secret
  • .well-known endpoint - In Azure AD this is known as OpenID Connect metadata and it looks like this: https://login.microsoftonline.com/\tenantName\/.well-known/openid-configuration

• SAML

  • Metadata URL

For more information, see:

• Connecting to Azure AD for SSO
• Connecting to Okta for SSO

In case you use a different OIDC or SAML-compliant IDP, refer to these docs and follow the same process with tool-specific changes as required.

JVM Sites

Do this on the Digital.ai Release server to integrate Release as on OIDC client with the Digital.ai Identity Service.

1. Install the OIDC Authentication plugin, modify the Default configuration property to OIDC in the XL_RELEASE_SERVER_HOME/xl-release.conf file.

2. To configure the OIDC Authentication plugin, add the following code snippet to the XL_RELEASE_SERVER_HOME/xl-release.conf file.

   xl {
     security {
       auth {
         providers {
           oidc {
             clientId="<your client id here>"
             clientSecret="<your client secret here>"
   
             issuer: "<Enter the Open ID Provider Issuer>" # for example "https://identity.staging.digital.ai/auth/realms/demoaccount"
             redirectUri: "<release url>/oidc-login"
             postLogoutRedirectUri: "<release url>/oidc-login"
   
             scopes=["<your>", "<scopes>", "<here>"]
   
             rolesClaim="<your roles claim here>"
             userNameClaim="<your username claim here>"
             emailClaim="<your email claim here>"
             fullNameClaim="<your fullName claim here>"
             externalIdClaim="<user's employee ID or GitHub ID, for example>" //This is an optional claim
           }
         }
       }
     }
   }

   The above configuration automatically fetches the required configuration from the discovery endpoint.

   For more information, see Configure Digital.ai Release for OIDC Authentication.

Kubernetes Sites

See Select the Type of OIDC Configuration.

Step 6—Log on to Release and Add the Admin User

Log on to Release and add the local Admin User.

1. Log on to Release as an Administrator.
2. Create a role named Admin and add the Digital.ai Platform's admin user to that role.
3. Assign Admin permissions to this Admin role you created.

For more information, see Configure Roles and Configure Permissions.

Your SSO setup is complete.