Enable Single Sign-On with OIDC Authentication

Starting in MicroStrategy ONE (December 2024), you can add system prompt mapping and nested groups to your OIDC authentication. This additional customization provides more granular control over user access and improves the overall security and usability of your system.

You can enable single sign-on with OpenID Connection (OIDC) authentication for Azure, Okta, and more.

The ability to view or edit certain settings is determined by a user's privileges. All necessary privileges are included in the Administrator role by default. You must belong to the System Administrators group to use this feature.

See Enable Single Sign-On with OIDC Authentication in the System Administration Help for more details.

1. Open the Workstation window.

2. In the Navigation pane, click Environments.

3. Right-click an environment and choose Configure Enterprise Security > OIDC.



4. In Step 1: Name the Configuration, type a name.
5. In Step 2: Select an identity provider, select an identity provider.
6. In Step 3: Identity Provider Configuration, click View configuration instruction to view a step-by-step configuration guide. Use the instructions to complete steps 3 and 4. Starting in MicroStrategy 2021 Update 10, if your IdP supports single logout, you can enable it using Enable Single Logout with OIDC Authentication.
7. If you need assistance from your administrator that is in charge of enterprise Identity and Access Management (IAM), click Request access from your administrator.

8. In Step 5: User Mapping, configure the following settings for IAM user mapping...

   User Claim Mapping Expand to enter OIDC claims to identify users and display their info.

   MicroStrategy ONE (December 2024) adds support for nested groups in OIDC authentication. Enter \ between each nested group. For example, if you have a group "B" that is nested under group "A", enter A\B in Groups.

   User Attribute Mapping Expand to enter prompts to map attributes for system prompts.

   Starting in MicroStrategy ONE (December 2024), use SSO system prompts as everyday system prompts to create a report filter or security filter. For more information on Intelligence Server system prompts, see KB10937.

   There are 40 SSO system prompts that you can use, 15 with text type, 15 with numeric type, and 10 with date type. For data type formats, the following formats are supported:

   • Raw timestamp. For example, 1674304586.

   • String with time. For example, 2023-01-21 20:36:26.

   • String without time. For example, 2024-08-07.

   Primary User Identifier Enter the OIDC claim used to identify users. By default, the OIDC claim is email.

   Login Name: Enter the OIDC claim for the login name. By default, the OIDC claim is name.

   Full name Enter the OIDC claim used for display users’ full names in MicroStrategy. By default, the OIDC claim attribute is name.

   Email Enter the OIDC claim used as the user's email in MicroStrategy. By default, the OIDC claim attribute is email.

   Advanced Expand to enter advanced user mapping settings.

   Import User at Login Activate this toggle to allow users from your active directory to use their credentials to log in to MicroStrategy.

9. If Okta is selected as the identity provider, in Step 6: Test Configuration, click Test Configuration to test with the credentials you provided above.

10. Click Save.

11. Access the Library Admin page to complete additional steps before the OIDC authentication takes effect.