LogoLogo
Main SiteStart Now
  • Home
    • What Is BastionZero?
      • Server Access
      • Database Access
      • Kubernetes Access
      • Web Server Access
    • Product Security
    • Architecture
    • Taxonomy
  • Deployment
    • Getting Started
    • Installing the ZLI
    • Installing the Agent
    • Installing the Desktop App
  • Automation & Integrations
    • CircleCI
    • GitHub Actions
    • Go SDK
    • Google Cloud Run
    • Slack
      • Using the BastionZero app for Slack
    • Terraform
    • Third-Party Clients
  • Admin Guide
    • Authentication
      • SSO Management
      • User Management
      • MFA Management
      • Service Accounts Management
    • Authorization
    • Auditing
    • Target and Connection Management
  • How To Guides
    • Passwordless Database Access
      • Passwordless Access to MySQL and Postgres on GCP Cloud SQL
      • Passwordless Access to AWS RDS PostgreSQL
      • Passwordless Access to AWS RDS MySQL
      • Passwordless Access to Self-Hosted Postgres
    • How to use BastionZero to connect to a Linux Host using the ZLI
    • How to use BastionZero to manage SSH Keys
  • User Guide
    • Installing the ZLI
    • ZLI Cheat Sheet
    • Connecting to Your Targets
    • Troubleshooting Guide
  • ZLI Reference Manual
  • API Specification
  • Getting Help
  • Security Policy
  • Open Source Software Credits
    • Backend Services
    • Bzero Agent
    • Client Daemon
    • Desktop App
    • Go SDK
    • Helm Provider
    • Terraform Provider
    • Web App
    • ZLI
  • Product Changes
  • Service Status
  • GitHub
Powered by GitBook

Copyright © 2024

On this page
  • Google
  • Set up your Google organization with BastionZero
  • Use Google groups to simplify access management
  • Microsoft
  • Set up your Microsoft organization with BastionZero
  • Use Microsoft groups to simplify access management
  • Okta
  • Set up your Okta organization with BastionZero
  • Use Okta groups to simplify access management
  • OneLogin
  • Set up your OneLogin organization with BastionZero
  • Use OneLogin groups to simplify access management
  • Keycloak
  • Set up your Keycloak organization with BastionZero
  • Use Keycloak groups to simplify access management
  1. Admin Guide
  2. Authentication

SSO Management

BastionZero supports Google, Microsoft, Okta, OneLogin, and Keycloak identity providers.

PreviousAuthenticationNextUser Management

Last updated 6 months ago

The BastionZero product is maintained for existing BastionZero customers only.

Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s service.

BastionZero supports native app integrations with your identity provider (IdP) to simplify administrative workflow management.

Our groups integration, in particular, enables administrators to streamline their user onboarding and offboarding processes by utilizing the groups configured from your IdP when authoring policies in BastionZero. For example, when new hires are onboarded, adding them to an SSO group will add them automatically to all BastionZero policies that contain that group as a subject. Likewise, when engineers leave the organization, removing them from the engineering group will be automatically reflected in policy as well. This update process is triggered by the following circumstances:

  1. An immediate webhook notification for any organization using Okta.

  2. Within 1 hour for any organization using Microsoft, Google, OneLogin, and Keycloak.

  3. An immediate update when the policy is modified by a BastionZero administrator.

  4. An immediate update upon user log in.

A groups integration requires a read-only permission, which is used to look up groups and their corresponding users when a policy is authored or modified. BastionZero does not take a snapshot of your SSO or maintain its own copy of your SSO user and group settings. The policy authoring is the only action that results in a group and username lookup.

To set up your BastionZero organization and enable your groups integration, take a look at our guides below.

Google

Set up your Google organization with BastionZero

  • Click "Sign in with Google."

  • Enter your username, including your corporate domain (i.e., @bastionzero.com), followed by your password. BastionZero will create your organization for you automatically.

Use Google groups to simplify access management

Google groups must be enabled by a user who is both a BastionZero administrator and an administrator of the Google account.

  • Select the settings gear in the top right corner -> App Integrations.

  • Select "Google." Provide your Google Customer ID in the input and select "Sign in with Google." This will allow BastionZero to integrate with your GSuite Workspace account. This action will grant read permissions to directory users and groups.

Microsoft

Set up your Microsoft organization with BastionZero

  • Click "Sign in with Microsoft."

  • Enter your username, including your corporate domain (i.e., @bastionzero.com), followed by your password. BastionZero will create your organization for you automatically.

Use Microsoft groups to simplify access management

Microsoft groups must be enabled by a user who is both a BastionZero administrator and an administrator of the Microsoft account.

  • Select the settings gear in the top right corner -> App Integrations.

  • Select "Microsoft" and "Allow BastionZero Integration." This action allows BastionZero to integrate with your Azure AD account and to see the directory groups and the users within.

Okta

Set up your Okta organization with BastionZero

  • Navigate to your Okta admin app dashboard. This URL may look like: https://bastionzero-admin.okta.com/admin/apps/active, where bastionzero-admin is your Okta domain.

  • Select "Create App Integration." In the resulting modal dialog, select "OIDC - OpenID Connect" for the sign-in method and "Single-Page Application" for the application type.

  • On the next screen, you will need to name your app, configure its grant types, and input the sign-in redirect URIs.

    1. You may name the app however you wish. There is no requirement from BastionZero.

    2. Select both "Authorization Code" and "Refresh Token" for the grant types.

    3. You must support a minimum of 3 sign-in redirect URIs.

      • [REQUIRED] https://cloud.bastionzero.com/auth/callback

      • [REQUIRED] https://cloud.bastionzero.com/authentication/login-okta-callback

      • You must support at least one of the following URIs. We STRONGLY ENCOURAGE you enable all 5 to avoid port conflicts on your users' machines.

        • http://localhost:49172/login-callback

        • http://localhost:51252/login-callback

        • http://localhost:58243/login-callback

        • http://localhost:59360/login-callback

        • http://localhost:62109/login-callback

Ensure the user assignments either include all users within your organization or you specify a group which includes the individuals you expect to be leveraging the BastionZero service.

Use Okta groups to simplify access management

  • Navigate to your Okta admin app dashboard. This URL may look like: https://bastionzero-admin.okta.com/admin/apps/active, where bastionzero-admin is your Okta domain.

  • Select "Create App Integration." In the resulting modal dialog, select "API Services" for the sign-in method. This app integration will be responsible for providing BastionZero access to your Okta groups. Once you hit next, you will name your application.

  • On the "Client Credentials" panel, click "Edit." You should see two options under "Client authentication," Client secret and Public key / Private key. Choose the latter. Then, in the "Public Keys" section, you will see another two options, Save keys in Okta and Use a URL to fetch keys dynamically. Select the latter again. In the Url field, add https://cloud.bastionzero.com/api/v2/okta-public-keys. This is the endpoint where BastionZero posts the public keys that can be used to verify signatures made by the respective private keys. Make sure you save this change.

NOTE: Before you leave this page, make sure that you copy the Client ID. We are going to use it on the next step.

  • Once you have saved your credential settings, scroll to the bottom of the General page. You will want to edit the "General Settings" to not require proof of possession. The "Federation Broker Mode" should also be disabled.

  • Click on the "Okta API Scopes" tab and grant access to okta.groups.read and okta.users.read.

  • Continue on to the "Admin roles" tab. Select "Edit assignments" and create a "Group Administrator" Role. Make sure you select "Save Changes."

  • Navigate to the "Application Rate Limits" tab. Adjust the rate limit to 100%.

OneLogin

Set up your OneLogin organization with BastionZero

  • Navigate to your OneLogin admin dashboard and select the applications page. The URL may look something like: https://bastionzero.onelogin.com/admin2/apps, where bastionzero is your OneLogin domain. From here select Add app and search for OpenId Connect.

  • Click on the app, and enter your desired Display Name and leave Visible in portal turned on. You may also add a description if needed. After you are done, select "Save" in the top right corner.

  • You should now be able to open the application from the applications section of the admin dashboard mentioned in the first step.

  • From here, you will need to add this application to your users, configure some SSO parameters and input the sign-in redirect URIs.

    1. You may name the app however you wish. There is no requirement from BastionZero.

    2. You will need to add this application individually to each user that will be connecting to BastionZero via OneLogin SSO using this OIDC application. To do so, use the admin dashboard to navigate to the Users page, select a profile, and add the application under the Applications page listed on the left hand side.

    3. Navigate to the SSO page in the application, and select Web for Application Type, None (PKCE) for Token Endpoint, and enable Login Hint.

    4. You must support a minimum of 3 sign-in redirect URIs.

      • [REQUIRED] https://cloud.bastionzero.com/auth/callback

      • [REQUIRED] https://cloud.bastionzero.com/authentication/login-onelogin-callback

      • You must support at least one of the following URIs. We STRONGLY ENCOURAGE you enable all 5 to avoid port conflicts on your users' machines.

        • http://localhost:49172/login-callback

        • http://localhost:51252/login-callback

        • http://localhost:58243/login-callback

        • http://localhost:59360/login-callback

        • http://localhost:62109/login-callback

Use OneLogin groups to simplify access management

  • Navigate to your OneLogin admin dashboard and select the API credentials page in the Developers section. This URL will look like: https://bastionzero.onelogin.com/api_credentials, where bastionzero is your OneLogin domain.

  • Select "New Credential" in the top right. In the pop-up screen, name this API credential, select Read users access and save.

  • When you access this credential, you will be shown a Client ID and a Client Secret that you will need when you integrate your organization through BastionZero in a later step.

NOTE: Before the next step, make sure that you have the Client ID and the Client Secret from the API Credential you just created.

Keycloak

Set up your Keycloak organization with BastionZero

  • Navigate to the Clients page in your realm. The URL may look something like: https://keycloak.bastionzero.com/admin/master/console/bastionzero/clients, where bastionzero is your Keycloak realm. From here select Create client.

  • On the General Settings screen, enter the ID of the client in the format {realm-name}-oidc-client and toggle Always display to UI to be on for easy access. Then, click Next.

  • On the Capability config screen, the Client Authorization and Authorization options should be turned off. For Authentication Flow, only select Standard Flow and Direct access grants. Then, click Next.

  • On the Login settings page, you will need to enter the following for Valid redirect URIs. For Web origins, enter +, which permits all origins of the provided Valid Redirect URIs. Then, click Save.

    • You must support a minimum of 3 sign-in redirect URIs.

      • [REQUIRED] https://cloud.bastionzero.com/auth/callback

      • [REQUIRED] https://cloud.bastionzero.com/authentication/login-keycloak-callback

      • You must support at least one of the following URIs. We STRONGLY ENCOURAGE you enable all 5 to avoid port conflicts on your users' machines.

        • http://localhost:49172/login-callback

        • http://localhost:51252/login-callback

        • http://localhost:58243/login-callback

        • http://localhost:59360/login-callback

        • http://localhost:62109/login-callback

  • Once saved, you'll be placed in the client. There are a couple steps here before we are done.

    • First, navigate to the Client scopes page in your client. Here, select Default as the Assigned type for email, offline_access, and profile.

    • Next, navigate to the Advanced page in your client, and scroll down to the Open ID Connect Compatibility Modes section. Here, ensure that the Use refresh tokens option is turned on and click Save. Then, scroll down to the Advanced Settings section, and select S256 for the Proof Key for Code Exchange Code Challenge Method setting. Then, click Save. The last setting we will modify is directly below in the Authentication flow overrides section. Select browser as the Browser Flow.

Use Keycloak groups to simplify access management

  • Navigate to the Clients page in your realm. The URL may look something like: https://keycloak.bastionzero.com/admin/master/console/bastionzero/clients, where bastionzero is your Keycloak realm. From here select Create client. (shown in the section above)

  • On the General Settings screen, enter the ID of the client in the format {realm-name}-apikey-client and toggle Always display to UI to be on for easy access. Then, click Next.

  • On the Capability config screen, the Client Authorization and Authorization options should be turned on. For Authentication Flow, only select Direct access grants. Then, click Next.

  • On the Login settings page, you don't need to make any changes. You can click Save.

  • Once saved, navigate to the Service account roles tab of your client. Here, you will configure roles for this client that will allow BastionZero to retrieve information about the realm's users and groups. Click on Assign role, and then choose the option to Filter by clients. From here, make sure to select the following roles with the realm-management tag: query-groups, query-users, and view-users.

  • Then, navigate to the Credentials tab of your client. Here, take note of the Client ID (name of the client seen at the top) and Client Secret, which you will enter in BastionZero to complete the integration.

Navigate to the .

Note: The first user to log in to/create your organization will be granted administrator privileges. This can easily be reassigned by using the "User & Service Accounts" management page under the gear in the top right corner of the .

Navigate to the .

Navigate to the .

Note: The first user to log in to/create your organization will be granted administrator privileges. This can easily be reassigned by using the "User & Service Accounts" management page under the gear in the top right corner of the .

Navigate to the .

Once you save your new app, Okta will provide you with a client ID. Please share this client ID and your Okta domain URL with . This information is required to enable BastionZero to communicate via OAuth with your Okta organization. Once BastionZero has completed the configuration on our end, you will be able to authenticate to BastionZero using Okta.

Note: The first user to log in to/create your organization will be granted administrator privileges. This can easily be reassigned by using the "User & Service Accounts" management page under the gear in the top right corner of the .

Finalize the integration. Log in to with an administrator account. Navigate to System Controls -> App Integrations -> Okta. Paste the Client ID in the respective field and click Apply. Your Okta organization is now integrated with BastionZero. You can now create a policy that includes Okta groups rather than single users.

Click to learn about the security of confidential clients authentication methods and more specifically about the one we use, JWT with private key.

On the SSO page, you will have noticed that OneLogin OpenId Connect provides a client ID. Please share this client ID and your OneLogin domain URL with . The domain URL will look something like https://bastionzero.onelogin.com. You can take the issuer URL found on the SSO page and omit the /oidc/2 that is appended at the end. This information is required to enable BastionZero to communicate via OAuth with your OneLogin organization. Once BastionZero has completed the configuration on our end, you will be able to authenticate to BastionZero using OneLogin.

Note: The first user to log in to/create your organization will be granted administrator privileges. This can easily be reassigned by using the "User & Service Accounts" management page under the gear in the top right corner of the .

Finalize the integration. Log in to with an administrator account. Navigate to System Controls -> App Integrations -> OneLogin. Paste the Client ID and Client Secret credentials in their respective fields and click Apply. Your OneLogin organization is now integrated with BastionZero. You can now create a policy that includes OneLogin groups rather than single users.

Please share the client ID used to create this client and the domain URL of your Keycloak realm with . The domain URL will look something like https://keycloak.bastionzero.com/realms/bastionzero. You can find the domain URL by navigating to the Realm settings in your realm and opening the OpenID Endpoint Configuration for your realm. This information is required to enable BastionZero to communicate via OAuth with your Keycloak organization. Once BastionZero has completed the configuration on our end, you will be able to authenticate to BastionZero using Keycloak.

Note: The first user to log in to/create your organization will be granted administrator privileges. This can easily be reassigned by using the "User & Service Accounts" management page under the gear in the top right corner of the .

Finalize the integration. Log in to with an administrator account. Navigate to System Controls -> App Integrations -> Keycloak. Paste the Client ID and Client Secret credentials in their respective fields and click Apply. Your Keycloak organization is now integrated with BastionZero. You can now create a policy that includes Keycloak groups rather than single users.

web app
web app
web app
web app
web app
web app
BastionZero
web app
BastionZero
here
BastionZero
web app
BastionZero
BastionZero
web app
BastionZero

Looking for other identity provider support?

Access for Infrastructure

Google

Get started with Google

Microsoft

Get started with Microsoft

Okta

Set up your Okta organization

OneLogin

Set up your OneLogin organization

Keycloak

Set up your Keycloak organization

Contact

product@bastionzero.com
Navigate to your Okta admin app dashboard
Specify your sign-in method and application type
Configure your app name and grant type
Configure your sign-in redirect URIs
Allow everyone in your organization to access BastionZero or specify a selected group
Create your Okta app integration
Client Credentials panel
Image showing the needed configuration for General Settings and Federation Broker Mode
Enable okta.groups.read and okta.users.read for your BastionZero and Okta integration to work correctly
Example of Admin role page without any created roles
Example of the Group Administrator role
What your Admin roles screen should look like once you have created your Group Administrator role
Use your Okta Client ID to integrate your Okta organization with BastionZero
Find the application using the admin dashboard
Open the OpenId Connect application you just added from the Applications page
Configure your Application Type and Token Endpoint on the SSO page
Configure your sign-in redirect URIs on the Configuration page
Create your OneLogin API credential
Use your OneLogin Client ID and Client Secret to integrate your OneLogin organization with BastionZero
This is the Keycloak clients page, where you can manage all your OIDC clients.
Enter the Client ID and toggle Always display in UI to be on.
The only options that should be enabled are Standard Flow and Direct access grants.
Ensure that email, offline_access, and profile have the Default assigned type.
Enter the Client ID and toggle Always display in UI to be on.
This is a confidential client, so Client authentication and Authorization are required for access to api.
Make sure the query-groups, query-users and view-users roles are assigned.
These are the confidential credentials that you will use to integrate your Keycloak instance with BastionZero.
Use the Client ID and Client Secret to integrate your Keycloak organization with BastionZero