Instacart's JIT access playbook

Create a ConductorOne tenant

Follow this step-by-step guide to creating a new ConductorOne tenant.

Before you begin

To complete this guide, you’ll need:

  • A ConductorOne enrollment code (if you don’t have an enrollment code, contact support@conductorone.com)
  • Ability to create an SSO app in the IdP (if using Okta, OneLogin, or JumpCloud)

Estimated time: 15 minutes

Step 1: Register your ConductorOne domain

  1. Go to https://accounts.conductor.one/accounts/signup.

  2. In the Domain field, enter the domain you want to use for your ConductorOne instance.

    For example, if you work at Acme Co., enter acmeco to create an acmeco.conductor.one domain.

  3. In the Display name field, enter the name of your company.

  4. In the Invite code field, paste in the invite code you received from ConductorOne. The code is case-sensitive.

  5. Click Sign up with [your SSO provider].

Step 2: Authenticate with your SSO provider

Jump to the instructions for your SSO provider:

Authenticate with Google

When prompted to login, click your corporate account and continue logging in.

Google will now re-authenticate you, if needed, and log you in to ConductorOne.

Authenticate with Okta

Step 1: Add the ConductorOne app in Okta

First, add the ConductorOne app to Okta.

  1. In a new browser tab, navigate to the Okta admin console and click Applications > Applications > Browse App Catalog.

  2. Search for “ConductorOne” and select the ConductorOne app, then click Add Integration.

  3. In the Subdomain field, enter the domain you chose for your ConductorOne instance.

  4. Select whether you want to make the ConductorOne application visible to users, then click Done.

Step 2: Assign users to the Okta app

Next, assign the ConductorOne app to an Okta user or group so the user or group can access and use the app.

If you do not assign the Okta app to yourself, you will receive an error at login and your ConductorOne tenant will not be created!

  1. Still in the Okta admin console, click the ConductorOne app’s Assignments tab.

  2. Click Assign and select either Assign to People or Assign to Groups.

  3. Locate the user or group you want to assign the app integration to and click Assign.

  4. Confirm that the data is correct in the Assign ConductorOne to dialog.

  5. Click Save and Go Back. The Assigned button for the user or group is disabled to indicate the app integration is assigned.

  6. If necessary, repeat steps 2-6 to assign the ConductorOne app to additional users or groups.

  7. Click Done.

Step 3: Input OAuth credentials into Okta ConductorOne app

In this step, you’ll configure the SSO settings for the ConductorOne app in Okta. To complete this step you’ll move back and forth between your Okta tab and the ConductorOne registration tab.

  1. In Okta, click Applications > Applications > ConductorOne to return to the new ConductorOne application’s details screen.

  2. Copy your Okta domain (such as acmeco.okta.com) from the browser’s address bar and paste your Okta domain into the Okta domain field in ConductorOne.

  3. In Okta, click the Sign On tab. Copy the ConductorOne app’s client ID by clicking the Copy to clipboard icon.

  4. In ConductorOne, paste the client ID into the Client ID field.

  5. In Okta, copy the ConductorOne app’s client secret by clicking the Copy to clipboard icon, then paste the client secret into the Client secret field in ConductorOne.

  6. In ConductorOne, click Sign up with Okta.

Okta will guide you through the SSO sign-in process and redirect you to the ConductorOne dashboard.

Authenticate with OneLogin

Step 1: Create an OIDC app in OneLogin

  1. In a new browser tab, navigate to the OneLogin administration portal and click Apps.

  2. Click Add App.

  3. Search for “OpenID Connect” or “oidc” and click OpenId Connect (OIDC).

  4. Enter the following information in the specified fields:

    • Display name: ConductorOne
    • (Optional) Logo:
      ConductorOne logo
      Right click to copy.
  5. Click Save.

  6. On the Configuration tab, fill out the specified fields as follows:

    • Login Url: Leave this field blank
    • Redirect URI’s: Enter https://accounts.conductor.one/auth/callback
    • Post Logout Redirect URIs: Leave this field blank
  7. On the SSO tab, make the following selections:

    • Application Type: Web
    • Authentication Method: POST

Step 2: Configure the SSO settings on the OneLogin ConductorOne app

In this step, you’ll configure the SSO settings for the ConductorOne app in OneLogin. To complete this step you’ll move back and forth between your OneLogin tab and the ConductorOne registration tab.

  1. In OneLogin, copy your OneLogin domain (such as acmeco.onelogin.com) from the browser’s address bar.

  2. In ConductorOne, paste your OneLogin domain into the OneLogin domain field.

  3. In OneLogin, on the SSO tab, copy the ConductorOne app’s Client ID.

  4. In ConductorOne, paste the Client ID into the Client ID field.

  5. In OneLogin, copy the ConductorOne app’s Client Secret.

  6. In ConductorOne, paste the Client Secret into the Client secret field.

  7. In ConductorOne, click Sign up with OneLogin. OneLogin will now guide you through the SSO sign-in process and redirect you to the ConductorOne dashboard.

Step 3: Assign users to the OneLogin ConductorOne app

Lastly, give your colleagues access to ConductorOne via OneLogin SSO by adding the new ConductorOne app to one or more OneLogin user groups.

  1. In the OneLogin admin portal, navigate to User Groups.

  2. Select the existing user group you’d like to give access to ConductorOne (or create a new user group by clicking the Create button).

  3. Click Applications and select ConductorOne.

  4. Click Save.

Authenticate with JumpCloud

Step 1: Create an OIDC app in JumpCloud

  1. In a new browser tab, navigate to the JumpCloud Admin Portal and click User authentication > SSO.

  2. Click + Add New Application.

  3. Scroll to the bottom of the window and click Custom OIDC App.

  4. Enter the following information in the specified fields:

    • Display Label: ConductorOne
    • (Optional) Logo:
      ConductorOne logo
      Right click to copy.
  5. Click Save.

  6. On the SSO tab, fill out the specified fields as follows:

    • Redirect URIs: Enter https://accounts.conductor.one/auth/callback
    • Client Authentication Type: Client Secret POST
    • Login URL: https://YOUR_DOMAIN.conductor.one/login?sso_operation=initiate_login (use the ConductorOne domain you chose in Step 1)
  7. In the User Attribute Mapping section, enter email in the Service Provider Attribute Name field and select email in the JumpCloud Attribute Name field, then click Add Attribute.

  8. On the User Groups tab, select one or more groups to assign access to ConductorOne.

  9. Click Activate. Leave the Application Saved popup that displays the Client ID and the Client Secret fields open. You’ll use these values in the next step.

Step 2: Configure OIDC settings on the JumpCloud ConductorOne app

In this step, you’ll configure the SSO settings for the ConductorOne app in OneLogin. To complete this step you’ll move back and forth between your JumpCloud tab and the ConductorOne registration tab.

  1. In JumpCloud, copy the ConductorOne app’s Client ID from the Application Saved popup.

  2. In ConductorOne, paste the Client ID into the Client ID field.

  3. In JumpCloud, copy the ConductorOne app’s client secret and paste it into the Client secret field in ConductorOne.

  4. In ConductorOne, click Sign up with JumpCloud. JumpCloud will now guide you through the SSO sign-in process and redirect you to the ConductorOne dashboard.

Step 3: Grant users access and login

Lastly, give your colleagues access to ConductorOne via JumpCloud SSO by adding the new ConductorOne app to a JumpCloud user group.

  1. In the JumpCloud Admin Portal, navigate to User Groups.

  2. Select the existing user group you’d like to give access to ConductorOne (or create a new user group by clicking the Create button).

  3. Click Applications and select ConductorOne.

  4. Click Save.

Authenticate with Microsoft

  1. When prompted to authenticate with Microsoft, select your corporate account.

  2. Review the permissions requested by ConductorOne. These permissions are needed to establish the SSO link between Microsoft and ConductorOne.

    • If you have the correct permission level in Microsoft, check the box to Consent on behalf of your organization. This enables the requested ConductorOne permissions for all users in your organization.
    • If you do not have the permissions needed to check the box, before other users attempt to sign into ConductorOne using SSO, direct your Microsoft administrator to manage permissions for the ConductorOne application in by navigating to Enterprise applications > ConductorOne SSO > Permissions and clicking Grant admin consent for ….
  3. Click Accept.

Microsoft will now guide you through the SSO sign-in process and redirect you to the ConductorOne dashboard.

Authenticate with PingOne

Step 1: Create an OIDC app in PingOne

  1. In a new browser tab, log into your PingOne Administration console and navigate to Applications > Applications.

  2. Click the + (plus sign) to create a new application.

  3. Enter the following information in the specified fields:

    • Application name: ConductorOne
    • (Optional) Logo:
      ConductorOne logo
      Right click to copy.
  4. In the Application Type area of the page, select OIDC Web App.

  5. Click Save.

  6. On the Configuration tab, click Edit and fill out the specified fields as follows:

    • Token Endpoint Authentication Method: Client Secret Post
    • Redirect URI’s: Enter https://accounts.conductor.one/auth/callback
    • Initiate Login URI: Enter https://your_domain.conductor.one/login
  7. Click Save.

  8. At the top of the page, click the toggle to enable the new application.

  9. Return to the Configuration tab and carefully copy and save the new app’s Client ID, Client secret, and Environment ID. You’ll use these in the Step 2.

Step 2: Configure the SSO settings on the OneLogin ConductorOne app

  1. Back in the ConductorOne setup tab, paste the Client ID, Client secret, and Environment ID into the form at the right of the page.

  2. Click Sign up with PingOne. PingOne will now guide you through the SSO sign-in process and redirect you to the ConductorOne dashboard.

Authenticate with generic OpenID Connect

Step 1: Create an OIDC app in your identity provider

  1. In a new browser tab, log into your identity provider and create a new OIDC application.

    • Configure the redirect URI to use https://accounts.conductor.one/auth/callback.
    • Ensure the authorization code flow is enabled.
  2. Gather OIDC credentials to pass to ConductorOne:

    • Issuer URL (the base URL of your OIDC provider)
    • Client ID
    • Client secret
    • Optional: Additional scopes beyond openid, profile, and email
  3. Back in the ConductorOne setup tab, paste the Issuer URL, Client ID, Client secret, and any OIDC scopes into the relevant fields in the form at the right of the page.

  4. Click Sign up with OIDC. Your identity provider will now guide you through the SSO sign-in process and redirect you to the ConductorOne dashboard.

Success!

Your ConductorOne tenant is created and you are logged in!

See our other getting started guides to move through the product and get on the fast track to modern governance.