Single Sign-On
CCC supports Single Sign-On (SSO) using OpenID Connect (OIDC), allowing you to integrate an external Identity Provider (IdP) for seamless and secure authentication. A primary admin performs the configuration by preparing the IdP, collecting the required values, and completing the SSO setup in CCC. CCC supports both automatic discovery-based configuration and manual endpoint configuration. Once configured and activated, users can authenticate using their corporate identity without additional credentials. Use the following steps to configure SSO in CCC using an IdP:
CCC supports integration with any Identity Provider (IdP) that implements the OIDC standard. Official validation has been performed with Okta, STA, and Microsoft Entra ID. To configure SSO successfully, first complete all the steps on this page to understand and configure the CCC-side SSO requirements. After that, complete the corresponding provider-specific guide (Single Sign-On with Okta, Single Sign-On with STA, or Single Sign-On with Microsoft Entra ID) to perform the IdP-side configuration.
If you plan to use a different OIDC-compliant provider, we strongly recommend completing end-to-end validation in your environment before deploying to production. For assistance, contact Thales Support.
Add the IdP TLS certificate to the CCC trust store if the certificate is self-signed or signed by a private Certificate Authority (CA).
This step is required to allow CCC to establish a trusted TLS connection with the IdP.
Copy the IdP TLS certificate file to the ${CCC_BASE_DIR}/ccc-certs/ directory.
Name the certificate file using the ccc_idp_trust prefix (for example, ccc_idp_trust_myca.pem).
Start or restart the CCC application container.
Create and configure an OIDC application in the IdP. During this configuration, define the redirect URL, client credentials, and claims required by CCC.
Confirm that the IdP implements the OIDC standard; CCC has been officially tested and validated with Okta, STA, and Microsoft Entra ID.
Collect the following configuration values from the IdP before proceeding: Discovery URL, Client ID, Client Secret, Role Claim Name, and Organization Claim Name.
Configure the role claim in the IdP to be returned as an array in the token (for example, for the CCC admin role: "roles": ["ccc_admin"]).
Configure the organization claim in the IdP to be returned as a string in the token (for example, "ccc_organization": "myorg").
Log in to CCC as a primary admin.
Navigate to Administration > Single Sign-On > Add SSO.
Enter the basic SSO configuration details.
| Field | Description |
|---|---|
| SSO Display Name | A user-friendly name displayed on the CCC login page (for example, Company Login). |
| Alias | A unique identifier for the IdP (for example, company-idp). Do not use spaces or special characters. |
| Sign-in Redirect URL | Automatically generated after you enter the Alias. Copy this URL and register it in your IdP configuration. |
Configure the Identity Provider endpoints by choosing one of the following configuration methods: Automatic setup (enable the discovery endpoint and provide the Discovery URL) or Manual setup (disable discovery and enter the required endpoint values—Authorization URL, Token URL, optional Logout URL, UserInfo URL, and Issuer).
Enter the authentication and claim-mapping values.
| Field | Description |
|---|---|
| Client ID | Client identifier issued by the IdP. |
| Client Secret | Secret associated with the client ID. |
| Role Claim Name | Claim used to map IdP roles to CCC roles. |
| Organization Claim Name | Claim used to associate users with an organization in CCC. |
Verify that the configured claim names and formats exactly match the token returned by the IdP.
Save and activate the SSO configuration by clicking Add SSO.
Test authentication using a test user account.
Verify successful login, role mapping, and organization mapping.
Once these steps are complete, users can sign in to CCC using the configured SSO option. If issues occur, review the Identity Provider logs and CCC error messages to diagnose endpoint, certificate, or claim-mapping problems. After completing this CCC-side configuration, proceed to the appropriate provider-specific guide (Single Sign-On with Okta, Single Sign-On with STA, or Single Sign-On with Microsoft Entra ID) to perform the IdP-side configuration.
