SSO Management
BastionZero supports Google, Microsoft, Okta, and OneLogin identity providers.
BastionZero supports native app integrations with your identity provider (IdP) to simplify administrative workflow management.
Our groups integration, in particular, enables administrators to streamline their user onboarding and offboarding processes by utilizing the groups configured from your IdP when authoring policies in BastionZero. For example, when new hires are onboarded, adding them to an SSO group will add them automatically to all BastionZero policies that contain that group as a subject. Likewise, when engineers leave the organization, removing them from the engineering group will be automatically reflected in policy as well. This update process is triggered by the following circumstances:
- 1.An immediate webhook notification for any organization using Okta.
- 2.Within 1 hour for any organization using Microsoft, Google, and OneLogin.
- 3.An immediate update when the policy is modified by a BastionZero administrator.
- 4.An immediate update upon user log in.
A groups integration requires a read-only permission, which is used to look up groups and their corresponding users when a policy is authored or modified. BastionZero does not take a snapshot of your SSO or maintain its own copy of your SSO user and group settings. The policy authoring is the only action that results in a group and username lookup.
To get setup with your BastionZero organization and enable your groups integration, take a look at our guides below.
- Click "Sign in with Google."
- Enter your username, including your corporate domain (i.e.,
@bastionzero.com
), followed by your password. BastionZero will create your organization for you automatically.
Note: The first user to log in to/create your organization will be granted administrator privileges. This can easily be reassigned by using the "User & Service Accounts" management page under the gear in the top right corner of the web app.
Google groups must be enabled by a user who is both a BastionZero administrator and an administrator of the Google account.
- Select the settings gear in the top right corner -> App Integrations.
- Select "Google." Provide your Google Customer ID in the input and select "Sign in with Google." This will allow BastionZero to integrate with your GSuite Workspace account. This action will grant read permissions to directory users and groups.
- Click "Sign in with Microsoft."
- Enter your username, including your corporate domain (i.e.,
@bastionzero.com
), followed by your password. BastionZero will create your organization for you automatically.
Note: The first user to log in to/create your organization will be granted administrator privileges. This can easily be reassigned by using the "User & Service Accounts" management page under the gear in the top right corner of the web app.
Microsoft groups must be enabled by a user who is both a BastionZero administrator and an administrator of the Microsoft account.
- Select the settings gear in the top right corner -> App Integrations.
- Select "Microsoft" and "Allow BastionZero Integration." This action allows BastionZero to integrate with your Azure AD account and to see the directory groups and the users within.
- Navigate to your Okta admin app dashboard. This URL may look like:
https://bastionzero-admin.okta.com/admin/apps/active
, wherebastionzero-admin
is your Okta domain.

Navigate to your Okta admin app dashboard
- Select "Create App Integration." In the resulting modal dialog, select "OIDC - OpenID Connect" for the sign-in method and "Single-Page Application" for the application type.

Specify your sign-in method and application type
- On the next screen, you will need to name your app, configure its grant types, and input the sign-in redirect URIs.
- 1.You may name the app however you wish. There is no requirement from BastionZero.
- 2.Select both "Authorization Code" and "Refresh Token" for the grant types.
- 3.You must support a minimum of 3 sign-in redirect URIs.
- [REQUIRED]
https://cloud.bastionzero.com/auth/callback
- [REQUIRED]
https://cloud.bastionzero.com/authentication/login-okta-callback
- You must support at least one of the following URIs. We STRONGLY ENCOURAGE you enable all 5 to avoid port conflicts on your users' machines.
http://localhost:49172/login-callback
http://localhost:51252/login-callback
http://localhost:58243/login-callback
http://localhost:59360/login-callback
http://localhost:62109/login-callback

Configure your app name and grant type

Configure your sign-in redirect URIs
Ensure the user assignments either include all users within your organization or you specify a group which includes the individuals you expect to be leveraging the BastionZero service.

Allow everyone in your organization to access BastionZero or specify a selected group
Once you save your new app, Okta will provide you with a
client ID
. Please share this client ID
and your Okta domain URL with BastionZero. This information is required to enable BastionZero to communicate via OAuth with your Okta organization. Once BastionZero has completed the configuration on our end, you will be able to authenticate to BastionZero using Okta.Note: The first user to log in to/create your organization will be granted administrator privileges. This can easily be reassigned by using the "User & Service Accounts" management page under the gear in the top right corner of the web app.
- Navigate to your Okta admin app dashboard. This URL may look like:
https://bastionzero-admin.okta.com/admin/apps/active
, wherebastionzero-admin
is your Okta domain. - Select "Create App Integration." In the resulting modal dialog, select "API services" for the sign-in method. This app integration will be responsible for providing BastionZero access to your Okta groups. Once you hit next, you will name your application.

Create your Okta app integration
- On the "Client Credentials" panel, click "Edit." You should see two options,
Client Secret
andPublic key / Private key
. Choose the latter. Then, on the "Public Keys" panel, you will see another two options,Save keys in Okta
andUse a URL to fetch keys dynamically
. Select the latter again. In theUrl
field, addhttps://cloud.bastionzero.com/api/v2/okta-public-keys
. This is the endpoint where BastionZero posts the public keys that can be used to verify signatures made by the respective private keys. Make sure you save this change.

Client Credentials panel
- Click on the "Okta API Scopes" tab and grant access to
okta.groups.read
andokta.users.read
.

Enable okta.groups.read and okta.users.read for your BastionZero and Okta integration to work correctly
NOTE: Before you leave this page, make sure that you copy the
Client ID
. We are going to use it on the next step.- Finalize the integration. Log in to BastionZero with an administrator account. Navigate to System Controls -> App Integrations -> Okta. Paste the
Client ID
in the respective field and clickApply
. Your Okta organization is now integrated with BastionZero. You can now create a policy that includes Okta groups rather than single users.

Use your Okta Client ID to integrate your Okta organization with BastionZero
Click here to learn about the security of confidential clients authentication methods and more specifically about the one we use, JWT with private key.
- Navigate to your OneLogin admin dashboard and select the applications page. The URL may look something like:
https://bastionzero.onelogin.com/admin2/apps
, wherebastionzero
is your OneLogin domain. From here selectAdd app
and search forOpenId Connect
.

Find the application using the admin dashboard
- Click on the app, and enter your desired
Display Name
and leaveVisible in portal
turned on. You may also add a description if needed. After you are done, select "Save" in the top right corner. - You should now be able to open the application from the applications section of the admin dashboard mentioned in the first step.

Open the OpenId Connect application you just added from the Applications page
- From here, you will need to add this application to your users, configure some SSO parameters and input the sign-in redirect URIs.
- 1.You may name the app however you wish. There is no requirement from BastionZero.
- 2.You will need to add this application individually to each user that will be connecting to BastionZero via OneLogin SSO using this OIDC application. To do so, use the admin dashboard to navigate to the Users page, select a profile, and add the application under the Applications page listed on the left hand side.
- 3.Navigate to the SSO page in the application, and select
Web
for Application Type,None (PKCE)
for Token Endpoint, and enable Login Hint. - 4.You must support a minimum of 3 sign-in redirect URIs.
- [REQUIRED]
https://cloud.bastionzero.com/auth/callback
- [REQUIRED]
https://cloud.bastionzero.com/authentication/login-onelogin-callback
- You must support at least one of the following URIs. We STRONGLY ENCOURAGE you enable all 5 to avoid port conflicts on your users' machines.
http://localhost:49172/login-callback
http://localhost:51252/login-callback
http://localhost:58243/login-callback
http://localhost:59360/login-callback
http://localhost:62109/login-callback

Configure your Application Type and Token Endpoint on the SSO page

Configure your sign-in redirect URIs on the Configuration page
- On the SSO page, you will have noticed that OneLogin OpenId Connect provides a
client ID
. Please share thisclient ID
and your OneLogin domain URL with BastionZero. The domain URL will look something likehttps://bastionzero.onelogin.com
. You can take the issuer URL found on the SSO page and omit the/oidc/2
that is appended at the end. This information is required to enable BastionZero to communicate via OAuth with your OneLogin organization. Once BastionZero has completed the configuration on our end, you will be able to authenticate to BastionZero using OneLogin.
Note: The first user to log in to/create your organization will be granted administrator privileges. This can easily be reassigned by using the "User & Service Accounts" management page under the gear in the top right corner of the web app.
- Navigate to your OneLogin admin dashboard and select the API credentials page in the Developers section. This URL will look like:
https://bastionzero.onelogin.com/api_credentials
, wherebastionzero
is your OneLogin domain. - Select "New Credential" in the top right. In the pop-up screen, name this API credential, select
Read users
access and save. - When you access this credential, you will be shown a
Client ID
and aClient Secret
that you will need when you integrate your organization through BastionZero in a later step.

Create your OneLogin API credential
NOTE: Before the next step, make sure that you have the
Client ID
and the Client Secret
from the API Credential you just created.- Finalize the integration. Log in to BastionZero with an administrator account. Navigate to System Controls -> App Integrations -> OneLogin. Paste the
Client ID
andClient Secret
credentials in their respective fields and clickApply
. Your OneLogin organization is now integrated with BastionZero. You can now create a policy that includes OneLogin groups rather than single users.

Use your OneLogin Client ID and Client Secret to integrate your OneLogin organization with BastionZero
Last modified 19d ago