Portkey Control plane supports following authentication protocols for enterprise customers.
  1. OIDC (OpenID Connect)
  2. SAML 2.0 (Security Assertion Markup Language)
Below are the steps to integrate your identity provider with our system.

Table of Contents

OIDC Integration

For OIDC integration, we require the following information from your identity provider:

Required Information

  • Issuer URL: The URL of your identity provider’s OIDC authorization endpoint. Wellknown OIDC configuration should be available at this URL.
  • Client ID: The client ID provided by your identity provider.
  • Client Secret Key: The client secret provided by your identity provider.

Setup Steps

Following scopes are required for Portkey to work with OIDC:
  • openid
  • profile
  • email
  • offline_access

General

  • Create an OIDC application in your identity provider.
  • Once the application is created, please note the following details:
    • Issuer URL
    • Client Id
    • Client Secret
  • Update the above details in Portkey Control Plane in Admin Settings > Authentication Settings > OIDC.

Okta

  • Go to Applications tab on Okta dashboard and create a new app integration.
  • Select OIDC - OpenID Connect as the signin method.
  • Select Application Type as Web Application
  • On the next step, fill in the required fields. The signin redirect URI should be https://app.portkey.ai/v2/auth/callback and the Grant Type should have Authorization code and Refresh Token as checked
  • Create Application
  • After the application is created, go to the General section of the application.
  • Click on the edit button for the General Settings section.
  • Select Either Okta or app for the Login initiated by field.
  • Add https://app.portkey.ai/v2/auth/callback as the initiate login URI
  • Go to the Sign On section and click on Edit. Select Okta Url as the issuer and save the updated details
  • Once everything is setup please note the following details
    • Issuer URL will be the Issuer from above step
    • Client Id would be same as Audience/ Client ID
    • Client Secret is needed for Web App based flow. It can be found under General > Client Credentials > Client Secrets in your Okta App.
  • Update the above details in Portkey Control Plane in Admin Settings > Authentication Settings > OIDC

Azure AD

  • Sign in to the Azure portal.
  • Search for and select Azure Active Directory.
  • Under Manage, select App registrations.
  • Select New registration.
  • Enter a name.
  • Select one of the Supported account types that best reflects your organization requirements.
  • Under Redirect URI,
  • Click on Register
  • Once saved, go to Certificates & secrets
    • Click on Client Secrets
    • Click on New client secret
    • Use appropriate settings according to your organisation
    • Click on Add
  • Once everything is set up. Please go to Overview
    • Click on Endpoints and note the OpenID Connect metadata document url
    • Please note the Application (client) ID from Essentials
    • Please note the Client Secret from Certificates & secrets
  • Update the above details in Portkey Control Plane in Admin Settings > Authentication Settings > OIDC

SAML Integration

For SAML integration, we require the following information from your identity provider:

Required Information

Either of the following information is required:
  • Provider Metadata URL: The URL from your identity provider containing the metadata, including SAML configuration details.
  • Provider Metadata XML: The XML metadata of your identity provider.

Setup Steps

General

  • Create an SAML application in your identity provider.
  • Once the application is created, please note the following details:
    • Provider Metadata URL
    • Provider Metadata XML
  • Update the above details in Portkey Control Plane in Admin Settings > Authentication Settings > SAML.

Okta

  • Go to Applications tab on okta dashboard and create a new app integration.
  • Select SAML 2.0 as the signin method.
  • In Configure SAML, update
    • Single sign-on URL with Saml redirect url. You can find the Saml redirect url from the Admin Settings > Authentication Settings > SAML Redirect/Consumer Service URL from Portkey Control Plane.
    • Audience URI (SP Entity ID) with SAML Entity ID from Portkey Control Plane.
  • Create Application
  • Once everything is set up, please note the following details
    • Sign On tab > SAML 2.0 tab > Metadata details > Metadata URL
  • Update the above details in Portkey Control Plane in Admin Settings > Authentication Settings > SAML

Azure AD

  • Sign in to the Azure portal.
  • Search for and select Azure Active Directory.
  • Under Manage, select App registrations.
  • Select New registration.
  • Enter a name.
  • Select one of the Supported account types that best reflects your organization requirements.
  • Under Redirect URI,
    • Select Web as the platform
    • Enter the SAML Redirect/Consumer Service URL from Portkey Control Plane as redirect url
  • Select Register.
  • Select Endpoints at the top of the page.
  • Find the Federation metadata document URL and select the copy icon.
  • In the left side panel, select Expose an API.
  • To the right of Application ID URI, select Add.
    • Enter SAML Entity ID from Portkey Control Plane as the App ID URI.
  • Select Save.
  • Once everything is set up, please note the following details
    • Copy the Federation metadata document URL and paste it in Portkey Control Plane in Admin Settings > Authentication Settings > SAML > Provider Metadata URL