Getting started

To start using SSO, you can use Self-Serve Single Sign-On and configure the integration yourself.

This guide describes the process of establishing trust between CAST AI and your identity provider.

OpenID providers

CAST AI now supports any SSO provider that implements the OpenID Connect standard. This gives you the flexibility to use your preferred identity provider.

Prerequisites

• An SSO provider that supports OpenID Connect
• Admin access to configure your SSO provider

Instructions

1. In your SSO provider, create a new OpenID Connect application

2. Configure the application with the following settings:

   • Sign-in redirect URI: https://login.cast.ai/login/callback
   • Sign-out redirect URI: https://api.cast.ai/v1/auth/logout

3. Note the following details you'll need to provide to CAST AI:

   • Client ID
   • Client secret
   • Issuer URL (the base URL for your SSO provider)

4. In the CAST AI console, go to Organizational profile -> SSO

5. Click Create SSO Connection and select OpenID as the ID Provider

6. Fill in the required fields:

   • Name: Give your SSO connection a name
   • Email domain: Your organization's email domain
   • Type: Choose the appropriate type based on your setup:
     • Back channel: Select this if you're using the back channel type of OIDC connection
     • Front channel: Select this if you're using the front channel type of OIDC connection
   • Issuer URL: The base URL for your SSO provider
   • Client ID: From step 3
   • Client secret: From step 3. Required for Back channel OIDC connection type only.

7. Click Connect to establish the SSO connection

Your OpenID SSO connection should now be configured and ready to use.

📘

Note

The type you choose (back channel or front channel) should match the configuration in your OpenID provider. If you're unsure which type to use, consult your SSO provider's documentation or your IT administrator.

Azure AD

This section describes setting up an Azure AD application and defining parameters for calling the Create organization SSO connection to establish SSO trust between CAST AI and the customer-created Azure AD application.

Prerequisites

Admin access to your Azure AD subscription.

Instructions

Create an Azure AD application

In your Azure portal, navigate to Microsoft Entra ID → App Registrations → New Registration:

Register a new AD Application

1. Give your preferred name to an app registration
2. Set Supported account type to Accounts in this organizational directory only (Single tenant)
3. Set Redirect URI type to Web, and as a callback value, use https://login.cast.ai/login/callback
4. Click Register

Configure the new AD Application

1. Under API permissions, make sure that your application has these permissions:

2. Make a note of the created app registration Application (client) ID:

Add a Client secret for the created app registration

1. Under the Certificates & secrets section in the previously created app registration window, select New client secret
2. Set the description for the secret and set the expiration date for two years.
3. Note and securely store the Secret Value as it is shown only during creation.

Now, you can set up a connection using CAST AI console. Go to Organizational profile - > SSO in the CAST AI console.

📘

Office 365 App

If your organization is using the Office 365 App, please configure your app Initiate login URI as below within the App Registration Home Page URL:
https://console.cast.ai/api/sso?auth0returnTo=https%3A%2F%2Fconsole.cast.ai%2Fapi%2Fsso&domain=org-email-domain

If a URL contains another URL as a query parameter, the parameter must be encoded using percent encoding.

Terraform

If you manage your infrastructure with Terraform, you can check this example of creating an SSO connection with the CAST AI Terraform provider.

Okta Workforce Enterprise Connection

This section describes setting up an Okta OIDC app integration and defining parameters for calling Create organization SSO connection to establish SSO trust between CAST AI and the customer-created Okta OIDC app integration.

Prerequisites

Access to the OKTA admin console.

Instructions

Create a new Okta OIDC app integration

1. In your admin console, navigate to Applications → Applications and click on Create App Integration:

2. Set Sign-in method and Application type:

3. Click Next

Configure the OKTA app integration

1. Give your preferred name to the app integration
2. Set Sign-in redirect URIs to https://login.cast.ai/login/callback
3. Set Sign-out redirect URIs type to https://api.cast.ai/v1/auth/logout
4. Set proper Assignments
5. Click Save

Now, you can set up a connection using the CAST AI console.

📘

Okta App Tile

If your organization is using the Okta App Tile, please configure your app Initiate login URI as such:
https://console.cast.ai/api/sso?auth0returnTo=https://console.cast.ai/api/sso&domain=email-domain

CAST AI Console Okta SSO Configuration:

Navigate to Org Icon - > Manage - > Organizational profile - > SSO.

To create an SSO Connection using Okta in the CAST AI console, follow these steps:

1. Gather the following information:

   • Connection Name
   • Email Domain (e.g., your-organization.com)
   • (Optional) Additional Email Domains (e.g., your-organization.co.uk, your-organization-service.eu)
   • Identity Provider (Okta)

2. Prepare the Okta Configuration details:

   • Okta Domain (e.g., dev-12345678.okta.com)
   • Client ID (generated during Okta app creation)
   • Client Secret (generated during Okta app creation)

3. Enter the information in the SSO Connection form:

   

   📘

   Note

   Ensure you use your organization's email domain(-s) and the correct Okta domain.

4. After filling in all required fields, click the Connect button.

5. If all information is correct, your Okta SSO Connection should be successfully established.

Remember to double-check all entered information before submitting to avoid connection issues. If you encounter any problems, verify your Okta configuration and try again.

Multiple Email Domains Support

CAST AI supports configuring multiple email domains for your SSO connection. This feature is available through three methods.

CAST AI Console

You can add multiple email domains in the configuration form when setting up your SSO connection in the CAST AI console:

1. Enter your primary email domain.
2. Click "Add another email domain" to add additional domains, which are optional.
3. Repeat step 2 for each additional domain.

API

To configure multiple email domains using the CAST AI API, use the Create organization SSO connection endpoint. Include all additional email domains in the additionalEmailDomains array of the request body:

{
  "name": "My SSO Connection",
  "emailDomain": "company.com",
  "additionalEmailDomains": [
    "company.co.uk",
    "company.eu"
  ]
}

Terraform

If you manage your infrastructure with Terraform, you can configure multiple email domains using the CAST AI Terraform provider. Update your Terraform configuration to include all desired email domains.

Expired credentials

While CAST AI doesn't actively monitor SSO credential expiration dates, the platform uses a mechanism to detect when credentials have expired based on provider responses during login attempts. When this happens:

1. Users will see an error message during login indicating expired credentials:

2. Organization administrators will receive a detailed notification about the SSO connection issue through the notifications hub. See Notifications for more information.

To resolve this, administrators should:

1. Review the notification details in the Cast AI console
2. Update the expired credentials in your SSO provider
3. Verify the SSO connection is working by testing the login

📘

Note

We recommend tracking SSO credential expiration dates in your identity provider to prevent disruption to user access.