How to Enable SSO with an External Identity Provider

The internal identity provider of PhariaAI, Zitadel, offers the possibility to integrate external identity providers for single sign-on (SSO). This allows users to log in to PhariaAI with their existing account from a company identity provider, such as Google, Microsoft, or Okta.

Prerequisites

• You enabled the flag pharia-iam.config.adminEnableZitadelManagement during the installation of PhariaAI, see section 1 at Installation of PhariaAI -> Helm Chart Installation -> IAM Configuration.

Configure an External Identity Provider in Zitadel

1. Open the Zitadel Console
   • Navigate to the Zitadel console at https://login.<YOUR_CONFIGURED_DOMAIN> and log in with your initial user account.
   • If you happen to land on the info page of your admin account, navigate to https://login.<YOUR_CONFIGURED_DOMAIN>/ui/console or click on the logo in the top left corner. If this has no effect, you probably logged in with the wrong account.
2. Add an External Identity Provider
   • Switch to the Pharia organization.
     
   • Go to the Settings tab and select Identity Provider. Here you find a list of pre-configured external identity providers. Choose the desired provider and follow the instructions.
   • For a seamless user experience, allow accounts to be created automatically only.
     
   • Make sure to activate the identity provider by clicking on the Activate button. For more information on how to configure external identity providers, see the Zitadel documentation.

Enable SSO in the login page

1. Enable external login for the Pharia Organization
   • Go to the Settings tab and select Login Behavior and Security. On the bottom of the page, check the box for External Login allowed. Then click on Save.
2. Make Pharia the Default Organization
   • Go to the all organizations view by clicking on the two arrows next to the organization name in the top left corner and choosing Show All Organizations.
   • Click on the three dots next to the Pharia Organization and select Set as default organization.

Configure Default Roles for Federated Users

To access any resource in PhariaAI, a user must be assigned a role. You can configure default roles for federated users to be assigned on the first login.

Add Role Assignment

• Go to the Actions tab, a default action with the name assignDefaultRole should already be present, which by default assigns the AssistantUser role. If you wish to have another default role than AssistantUser, you can change this in the values under pharia-iam.config.defaultRolesForLogin.
• Select the Flow Type External Authentication and click the Add Trigger button. Select Trigger Type Post Creation and select the assignDefaultRole Action. Click on Save.