HashiCorp Cloud Platform
Set up OIDC for SSO
This page describes the process to set up Okta integration for HCP single sign-on. You can configure HCP for OIDC SSO with the following identity providers:
- Auth0
- AWS
- Azure Entra ID
- CyberArk
- Duo Security
- Google Cloud
- JumpCloud
- Okta
- One Login
- PingID
Prerequisites
To set up SSO, you must have admin permissions for your HCP organization. Refer to organizations for more information.
Verify domain
You need a DNS record (secret value to set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.
To verify your domain:
- Copy the verification TXT record from the HCP SSO configuration to the DNS records of any email domains your organization uses.
- Return to the HCP Settings page and add your email address domains.
- Click Verify domains.
If the verification is successful, you can continue configuring SSO. If the request fails, your changes to the DNS records may not have propagated yet. It can take up to 72 hours.
Enable SSO for HCP
After your domain is verified, you can set up OIDC SSO with your preferred identity provider.
Configure Auth0
Follow the steps in the Auth0 documentation to adopt OIDC-Conformant Authentication.
Initiate integration on HCP
- Log in to HCP and go to your organization.
- From your organization, click Organization settings.
- Click SSO. Then click Configure SSO for your organization.
- Select OIDC.
- Enter the following values from your configured identity provider:
- Client ID
- Client Secret
- Issuer URL
Complete SSO setup
- Assign a default organization role for users.
- Optionally, turn on Assign users an organization role.
- Click Save.
Now users can sign in to your HCP organization using an existing identity provider.