Skip to main content

Configure Single Sign-On

Supported Identity Providers (IdPs)

Step 1: Exchange onboarding code for temporary token

Prequel will give you a temporary code to exchange for an onboarding JWT. This code has an expiration date that will also be provided to you. You must use the code before it expires.

curl -s -XGET "https://onboard-beta.prequel.dev/v1/auth/validate?code=XXXX-YYYY"

Example output:

{"token": "eyJhbGciOiJIUzI1NiIsInR5...UZew"}

The JWT will expire on the same day as the temporary code.

export TOKEN=eyJhbGciOiJIUzI1NiIsInR5...UZew

Step 2: Provide OpenID Connect Well-Known Configuration and Domain

Use the JWT from Step 1 to start OAuth onboarding by providing a link to the OpenID Connect Well-Known Configuration and your organizations's email domain.

IdPExample Well-Known URL
Auth0https://prequel.us.auth0.com/.well-known/openid-configuration
Oktahttps://prequel.okta.com/oauth2/default/.well-known/oauth-authorization-server
Googlehttps://accounts.google.com/.well-known/openid-configuration
GitHubhttps://github.com/login/oauth/.well-known/openid-configuration
JumpCloudhttps://oauth.id.jumpcloud.com/.well-known/openid-configuration
curl -s -H "Authorization: Bearer $TOKEN" -XPOST "https://onboard-beta.prequel.dev/v1/api/oauth" -d '{"well_known_url":"https://orgname.okta.com/oauth2/default/.well-known/oauth-authorization-server", "domain":"orgname.com", "org_name":"My Org Name"}'

Example output:

{"sign_in_uri":"https://api-beta.prequel.dev:8080/v1/auth/callback/1c0b4082-eb78-4bcd-9d53-06ca4b34ccf1","transaction_id":"6RfwFnaJLbGmy4CfVWdFc9"}

Step 3: Create Prequel Application in your IdP

Create a new OAuth web application in your identity provider for Prequel. Use this application to control which users in your organization have access to Prequel.

Example: Okta

To create a new SSO application in Okta, follow these steps:

  1. Go to Applications
  2. Create App Integration
  3. Select OIDC - OpenID Connect
  4. Select Type - Web Application and click Next
  5. Name your SSO Application "Prequel"
  6. Add Refresh Token to the Core Grants options
  7. Set the Sign-In redirect URI to the sign_in_uri from Step 2 above
  8. Update your user Assignments for the application (or skip it for now and add it later) and Save
  9. Edit General Settings of the application you just created
  10. Update "Login initiated by" to "Okta or App"
  11. Select "Display application icon to users"
  12. Set Initiate Login URI to https://api-staging.prequel.dev:8080/v1/auth/login

Step 4: Complete Setup with the OAuth Application Client ID and Secret

Provide the client ID and secret from the new Prequel Application to Prequel using the transaction_id from Step 2.

curl -s -XPOST -H "Authorization: Bearer $TOKEN" "https://onboard-beta.prequel.dev/v1/api/oauth/6RfwFnaJLbGmy4CfVWdFc9/onboard" -d '{"client_id":"XXXX", "client_secret":"YYYY"}' -o /dev/null -w '%{http_code}\n'

Example output:

200

The transaction_id will expire in 48 hours. If it takes longer than 48 hours to create the application, then start the process over again to generate a new transaction.

Now you can log in to https://app-beta.prequel.dev with your enterprise email address using your IdP.