Setting up SSO

Fireworks uses single sign-on (SSO) as the primary mechanism to authenticate with the platform.

Coordinate with your Fireworks.ai representative to enable the integration. Fireworks supports the following SSO implementations:

  • OpenID Connect (OIDC) provider
  • SAML 2.0 provider
  • Google workspace

OpenID Connect (OIDC) provider

  1. Create an OIDC client application in your identity provider, e.g. Okta.
  2. Ensure the client is configured for "code authorization" of the "web" type
    (i.e. with a client_secret).
  3. Set the client's "allowed redirect URL" to the URL provided by Fireworks. It
    looks like https://fireworks-<your-company-name>.auth.us-west-2.amazoncognito.com/oauth2/idpresponse.
  4. Note down the issuer, client_id, and client_secret for the newly
    created client. You will need to provide this to your Fireworks.ai
    representative to complete your account set up.

SAML 2.0 provider

  1. Create a SAML 2.0 application in your identity provider, e.g. Okta.
  2. Set the SSO URL to the URL provided by Fireworks. It looks like https://fireworks-<your-company-name>.auth.us-west-2.amazoncognito.com/saml2/idpresponse.
  3. Configure the Audience URI (SP Entity ID) as provided by Fireworks. It looks like urn:amazon:cognito:sp:<some-unique-identifier>.
  4. Create an Attribute Statement with the name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    and the value user.email
  5. Leave the rest of the settings as defaults
  6. Note down the "metadata url" for your newly created application. You will
    need to provide this to your Fireworks.ai representative to complete your
    account set up.