HCP Adds OpenID Connect (OIDC) Single Sign-On Functionality
Learn how users of the HashiCorp Cloud Platform (HCP) can now leverage the popular OpenID Connect (OIDC) protocol for their single sign-on (SSO) integrations.
We are excited to announce that HashiCorp Cloud Platform (HCP) now allows organizations to configure their single sign-on (SSO) with the OpenID Connect (OIDC) authentication method. This popular SSO solution gives organizations leveraging HCP more options to integrate identity providers (IDPs) into their cloud platform.
» What is OIDC SSO
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol that enables clients to verify end-users’ identities based on the authentication performed by an authorization server or identity provider, as well as obtain basic profile information about the end user in an interoperable and REST-like manner. You can learn more about OIDC here.
» The Benefits of OIDC SSO on HCP
Previously, HCP supported three specific types of authentication methods: email and password combination, GitHub, and SAML SSO. Many HCP users and customers, however, leverage OIDC external identity providers (IDPs) across their networks and want to integrate them to log in to HCP.
Due to these requests and the overall popularity of this authentication method, the latest release of HCP offers full support for OIDC authentication methods, allowing users to delegate authentication to their preferred OIDC provider.
Many organizations find OIDC SSO much simpler to implement than SAML and more accessible through APIs because it works with RESTful API endpoints. In addition, by enabling OIDC SSO, HCP adds another way to easily integrate with popular identity providers like Microsoft Azure Active Directory and Okta. Lastly, this is the first step in allowing all HCP products to integrate with each other through a single seamless authentication workflow. Look for more HCP integration updates in the future.
» How to Implement OIDC SSO on HCP
HCP supports all OIDC external identity providers. Two popular identity providers, Azure Active Directory and Okta, have unique implementation procedures. You can see an overview below, or click through for more detailed instructions. Refer to SSO Overview for details about managing organizations with SSO enabled.
» Azure Active Directory Setup
Setting up OIDC SSO on HCP utilizing Azure Active Directory requires three main actions:
- Your HCP organization's owner and/or admin must log in to HCP to set up and configure their selected SSO method.
- Verify your domain: You need a DNS record (a secret value set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.
- Enable OIDC integration: You must add information from the Initiate OIDC Integration section in HCP to the OIDC configuration for an Enterprise application in Azure Active Directory.
For detailed step-by-step instructions visit the Azure Active Directory OIDC SSO Configuration page.
» Okta Identity Provider Setup
Setting up OIDC SSO on HCP utilizing the Okta identity provider is also straightforward:
- Your HCP organization's owner and/or admin must log in to HCP to set up and configure their selected SSO method.
- Verify your domain: You need a DNS record (a secret value set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.
- Create an OIDC app integration: Log into Okta, click on Applications, and follow the Create App Integration process.
For detailed step-by-step instructions visit the Okta OIDC SSO Configuration page.
» More to Come
OIDC SSO expands user management options for organizations leveraging the HashiCorp Cloud Platform. It can help mitigate account take over (ATO) attacks, provide a universal source of truth to federate identities from your identity provider (IDP), and help you better manage user access to your organization. Keep an eye out for further integrations to increase user security and flexibility as HCP develops.
Sign up for the latest HashiCorp news
More blog posts like this one
HashiCorp 2024 year in review
The future looks bright as we look back at what we and our customers accomplished this year.
HashiCorp Ambassador call for submissions 2025
The submission window for HashiCorp Ambassador — our program to recognize individuals for knowledge sharing, mentorship, and kindness in the community — is now open.
Vault integrations with MongoDB, Private Machines, and walt.id strengthen customer security
Three new HashiCorp Vault ecosystem integrations extend security use cases for customers.