ACTIVATE allows you to configure how users authenticate to your organization. You can set up multiple authentication methods, including passwords, LDAP, and OpenID Connect (OIDC), to match your organization's security requirements.
From the Organizations list, select your organization. In the sidebar, under Settings, click Authentication.
The Authentication page displays a table of all configured authentication methods with the following columns:
cac, ldap, oidc, or password)If no methods have been configured, the page displays: "No authentication options configured."
Click the Add method dropdown button to see the available options:
Password authentication requires no configuration. Select Password from the Add method dropdown and the method is created immediately.
Only one password method is allowed per organization. Once a password method exists, the Password option is hidden from the dropdown. Password methods can be deleted like any other method.
To add a new LDAP method, select LDAP from the Add method dropdown. To edit an existing LDAP method, click its name in the authentication methods table.
| Field | Required | Description |
|---|---|---|
| Name | Yes | Display name shown on the login page. |
| Domain | Yes | LDAP server domain (e.g., example.com). |
| Filter | Yes | User lookup filter. Use __USERNAME__ as a placeholder for the authenticating user's name (e.g., (uid=__USERNAME__)). |
| Base DN | No | Starting point for LDAP searches (e.g., ou=orgUnit,dc=example,dc=com). |
Toggle Use Service Account to enable or disable service account authentication.
Toggle Use TLS to enable or disable Transport Layer Security when connecting to the LDAP server.
These fields control how LDAP attributes map to ACTIVATE user properties.
| Field | Default | Description |
|---|---|---|
| Unique Identifier | cn | Attribute that uniquely identifies users. |
| Username | uid | Attribute used as the username. |
| Full Name | cn | Attribute used as the display name. |
mail | Attribute used as the email address. | |
| UID Number | (none) | Unix UID used during account creation. If not set, a UID is auto-generated. |
Before saving, you can verify the LDAP configuration by testing a connection.
To add a new OIDC method, select OIDC from the Add method dropdown. To edit an existing OIDC method, click its name in the authentication methods table.
| Field | Default | Description |
|---|---|---|
| Name | oidc | Internal identifier. Must be lowercase alphanumeric characters and hyphens only. |
| Display Name | OIDC | The label shown on the login page. |
Toggle Discover Endpoints? to control how OIDC endpoints are configured. This toggle is enabled by default.
When enabled: Enter only the Issuer URL. All other endpoints (user info, token, authorization, and end session) are discovered automatically from the provider's well-known configuration.
When disabled: Enter each endpoint manually:
| Field | Required | Description |
|---|---|---|
| User Info Endpoint | Yes | URL for retrieving user profile information. |
| Token Endpoint | Yes | URL for exchanging authorization codes for tokens. |
| Authorization Endpoint | Yes | URL where users are redirected to authenticate. |
| End Session Endpoint | No | URL for logging users out of the identity provider. |
| Field | Default | Description |
|---|---|---|
| Client ID | (none) | The client ID from your identity provider. Required. |
| Scopes | openid profile email | Space-separated list of OAuth scopes to request. Required. |
The Token Endpoint Auth Method dropdown determines how the ACTIVATE platform authenticates with your identity provider's token endpoint. The available options are:
client_secret_post — The client secret is sent in the POST body of token requests.client_secret_basic — The client secret is sent in the Authorization header as a Base64-encoded string.private_key_jwt — A JWT signed with a private key is used for authentication.Credentials change based on the selected auth method:
client_secret_post or client_secret_basic: A Client Secret text field is displayed.private_key_jwt: A Private Key PEM textarea is displayed where you paste the PEM-encoded private key.| Option | Default | Description |
|---|---|---|
| Title Case | Off | Converts usernames to title case for normalization. |
| Skip Platform MFA Verification | Off | Bypasses the additional MFA step after OIDC login. |
| Create account on first login | On | Automatically creates ACTIVATE accounts for new OIDC users. When disabled, only users with existing ACTIVATE accounts can log in via OIDC. |
A read-only field at the bottom of the configuration page displays the callback URL:
https://your-domain/api/sso/oidc/callbackCopy this value and configure it as an allowed redirect URI in your identity provider.
To delete any authentication method:
OIDC authentication supports any standards-compliant OpenID Connect identity provider, including: