Manage SSO

4 Minutes to read

Article summary

Did you find this summary helpful?

Thank you for your feedback

This article covers enabling SSO in the Admin Platform, as well as editing, deactivating, and deleting registered applications. For an overview of Admin SSO, including staff log-in instructions, go to Admin Single Sign-On (SSO).

Before enabling SSO, please note:

Our SSO uses the OpenID Connect (OIDC) protocol, not Security Assertion Markup Language (SAML).
We currently support the following OIDC identity providers (IdPs) via self-service: Google Workspace, Microsoft Entra ID, Okta, and Amazon IAM. Please contact your Narmi Relationship Manager if you would like to add a different IdP.
For some providers (like Okta and Microsoft Entra ID), we support IdP-initiated login, allowing your institution to add Narmi to your IdP dashboard.
You must have Admin permissions in the Narmi Admin Platform to register a new SSO.

In this article:

Enable SSO

Enabling SSO in the Admin Platform involves two phases:

From your identity provider's admin center (for example, Okta Admin Console or Microsoft Entra ID), create an authorized OIDC application that allows access tokens and ID tokens to be sent to Narmi.
From Narmi Admin Platform, register that application and activate it.

Phase One – Create an OIDC Application Using Your Identity Provider (IdP)

These steps describe a general approach to creating a new OIDC application that roughly corresponds to what you will see in your specific IdP's admin center. We recommend following your IdP’s documentation for specific details.

Note: Please test the SSO login in your UAT environment before enabling it in your Production environment. The examples below refer to UAT environments, but the steps are identical for implementing SSO in Production environments.

To create an OIDC application using your IdP:

In the admin center of your IdP, register or create a new application. We recommend naming it “Narmi Admin Platform – UAT” or “Narmi UAT Admin Platform”. If necessary, specify that the application is a web application.
Enable the app to issue ID tokens using the OIDC protocol. We recommend enabling “Refresh tokens” if the option is available.
Register the Narmi redirect/callback URI using this format: https://{your-staff-portal.com}/oidc/{your-provider-shortname}/callback. For example: https://creditunion-staff.uat.narmitech.com/oidc/okta/callback.
Optional: Register the Narmi login URI using this format: https://{your-staff-portal.com}/oidc/{your-provider-shortname}/redirect. For example: https://creditunion-staff.uat.narmitech.com/oidc/okta/redirect. Adding this URI is typically required if you would like to support IdP-initiated login through your IdP dashboard or homepage.
Enable the application for any applicable users in your directory, as needed.
Take note of the following information, which is typically displayed in the application overview. You will need to enter this information in phase two below:
- Client ID – the unique ID of the application you just created
- Client Secret – a secret associated with your application. This may need to be created separately in a "Permissions" view for the application.
- OIDC Discovery URL – a public URL that returns information about your OIDC application. It typically ends with “/.well-known/openid-configuration”. You may need to consult your IdP’s official documentation to find this URL.

Phase Two – Register the OIDC Application in the Narmi Admin Platform

To register the OIDC application you created in phase one above:

From the Admin Platform sidebar, select Configurations > SSO.
On the SSO page that appears, select "+" in the Authorized applications box.
In the dialog that appears, enter the following information:
- Provider – Choose your IdP from the list. The options are Microsoft (Microsoft Entra ID), Okta, Amazon (Amazon IAM), and Google (Google Workspace). If your IdP is not on this list, please contact your Narmi Relationship Manager to have it added.
- Client ID – The unique ID of the application you just created
- Client Secret – A secret associated with your application
- OIDC Discovery URL – This is a public URL that returns information about your OIDC application. It typically ends with “/.well-known/openid-configuration”. You may need to consult your IdP’s official documentation to find this URL.
Select Save. By default, newly registered applications are inactive, which means that they will not be visible on the Narmi Login page and users will not be able to use them to log in until activated.
When ready to enable SSO, from the SSO page, select "v" next to your application, and select Activate.
Once the application is activated, it will appear as an option on the login page and will be available for IdP-initiated login if you have enabled that on the IdP side.

Currently, we limit you to one application per OIDC provider via self-service. If you would like to add multiple applications using the same IdP, please contact your Narmi Relationship Manager.