Configuring the New SSO (SCIM‑Based) for Administrators (Web Console)

HP Insights supports Single Sign-On (SSO) for logging into the web console, allowing system users to authenticate using credentials from their organization's identity provider. Upon first login, users are redirected to the identity provider’s login page and, once authenticated, are returned to the HP Insights web console.

Supported authentication protocols include:

  • SAML (Security Assertion Markup Language)

  • OpenID Connect

SSO Options for administrators

HP Insights supports two methods for configuring SSO for administrators:

Legacy Admin SSO

Legacy Admin SSO is the original model for enabling SSO for HP Insights web console administrators. It focuses on authentication only while admin accounts and roles remain manually controlled in HP Insights.

Use Legacy Admin SSO when:

  • The number of admin users is small

  • Admin users can be managed manually

  • SCIM provisioning and group‑based access control are not required

Refer to the Configure Legacy Single Sign‑On for System Users if this option suits your organization's requirements.

New Admin SSO (SCIM based)

The New Admin SSO (SCIM-based) is the newer model designed for group-based, SCIM‑driven access to the HP Insights web console. Admin identities, group membership, and role assignment are managed in an external identity provider and synchronized into HP Insights. Use this model if the following applies to you.

  • Admin access must be centrally controlled via an identity provider.

  • The organization wants to manage who can log in and what role they receive by group membership (e.g., Entra ID groups).

  • SCIM user and group provisioning is already in place or planned.

This documentation describes how to configure SSO for the Web Console using SCIM.

Initial System Admin

Before you can configure SSO, SCIM, or Group Mapping, HP creates a dedicated initial System Admin account for your organization. This account is used to perform the one‑time setup of your HP Insights environment.

  1. HP Insights invites the initial System Admin who is responsible for configuring group and role mappings in HP Insights.

  2. After the invitation is sent, the System Admin account appears in the web console under Users > System Users.

  3. The invited System Admin receives an email and must sign in to HP Insights to complete setup and begin configuring access and permissions.

Configuring SSO with SCIM 

After the invited initial internal System Admin signs in to the HP Insights web console, they can proceed to configure SSO with SCIM.

Step 1: Set up Authentication Providers

Before enabling Single Sign‑On (SSO), you must configure an authentication provider to connect HP Insights to your organization’s external Identity Provider (IdP). This allows administrators to sign in using their existing corporate credentials instead of locally managed passwords.

Authentication providers are configured in the web console under Account Settings > Settings.

Pharos Cloud supports the following authentication methods:

OpenID Connect (OIDC)

Use OpenID Connect to integrate with modern identity providers that support OIDC, such as Microsoft Entra ID. This option provides a standards‑based approach to authentication and token management.

For detailed instructions, see Configuring OpenID Authentication Provider.

SAML 2.0

Use SAML 2.0 to integrate with identity providers that support SAML‑based Single Sign‑On. This option is commonly used in enterprise environments that already have SAML configured.

For configuration steps, refer to Configuring SAML-Based Single Sign-On (SSO) in Microsoft Entra ID

Once an authentication provider is configured, administrators can authenticate through the external IdP, which is required before enabling features such as Admin SSO and group‑based access control.

Step 2: Set up Friendly URL

A Friendly URL provides users with a straightforward web address for accessing the HP Insights Web Console via Single Sign-On (SSO). This not only simplifies the login process for users but also makes it easier for administrators to communicate the correct login procedure across the organisation.

  1. Navigate to Account Settings > Settings tab.

  2. Locate the Friendly URL Section. Enter a Custom URL Segment. Type in a unique and easy-to-remember URL segment.

  3. Save the settings to apply the Friendly URL.

  4. Share the new SSO login URL with the system users. They can now use this address to access the Web Console through SSO.

Step 3: Set up User and Group Sync

HP Insights supports the automatic provisioning of users and groups from identity providers using the System for Cross-domain Identity Management (SCIM) protocol. SCIM is an open standard automating user provisioning for organizations by communicating employee identity data from identity providers (IdP) to service providers.

SCIM (System for Cross-domain Identity Management) is required for SSO (Single Sign-On) configuration in HP Insights because it automates and secures the management of user identities and groups between your Identity Provider (IdP), such as Microsoft Entra ID , and the HP InsightsWeb Console. While SSO enables users to log in with their existing organisational credentials, SCIM ensures that the correct users and groups are synchronised and provisioned in HP Insights without manual intervention.

HP Insights supports the following identity providers. For instructions on how to set up SCIM, select your identity provider from the list below:

Step 4: Map SCIM-synced groups to HP Insights roles.

In this step, you map SCIM‑synchronized identity provider (IdP) groups to HP Insights administrator roles. Group Mapping links user groups from your external identity provider (IdP), such as Microsoft Entra ID, to administrator roles inHP Insights. This allows administrator access to the web console to be managed automatically through group membership when users sign in with SSO.

At sign-in, HP Insights determines admin permissions based on the user’s IdP group membership and the configured mappings.

Note: Only IT Admin and System Admin roles can view and manage group mappings.

  1. Navigate to the Users > Group Mapping tab.

  2. Click the Create button.

  3. In the Role Mapping Properties panel, choose the group you want to map. Once SCIM is enabled and configured to your IdP (e.g., Entra ID), users and groups are imported from the IdP into HP Insights.

  4. Select the Role you want to assign to this group.

  5. Apply the changes.

For more information, refer to the Group Mapping document.

Step 5: Enable SSO Sign-in for System Users

Once authentication, SCIM sync, and group mappings are configured, you can proceed to enable Single Sign-On (SSO) for System Users in HP Insights.

  1. Go to Account Settings > Settings > Admin SSO.

  2. Toggle the Enable SSO Sign-in for System Users to ON.

This allows administrators to access the web Console using the shared SSO URL.

Note: The Enable SSO Sign-in for System Users option is disabled until Steps 1 through 4 have been successfully configured.

Step 6: Test SSO Sign-In

To verify that Single Sign-On (SSO) is functioning correctly for system users, follow these steps:

  1. Navigate to Account Settings > Settings > Admin SSO.

  2. Copy the Sign-in URL provided on this page and paste it into your web browser. This action will open the SSO Login Page.

  3. When prompted, enter your identity credentials as required by the authentication provider.

  4. After successful authentication, you will be logged into HP Insights.