Generic | OIDC

1. Display name

Choose a name for your identity provider. This is the user-facing name, so choose a name your users will recognize. This value can be changed later.

 

2. Redirect Mode

Select how the user will be redirected to the identity provider. You may configure more redirect modes after completing the setup.

 

3. Prepare IdP

 

Copy the callback URL and add it to the corresponding field in your identity provider. This is typically done when you create a new “Client” application / Relying Party on the Identity Provider. The name of this field can vary, but it is typically also named reply URL or redirect_uri. This is the URL your identity provider will redirect the user back to after the user has authenticated with their credentials. You can read more about this field in the OpenID Connect specification under 3.1.2.1.  Authentication Request.

4. Metadata

Kantega SSO requires a metadata URL from you identity provider to get access to the necessary information about its configuration in the OIDC authorization code flow. In the OpenID Connect specification, this process is called Discovery, in that the client dynamically discovers information about the Identity provider.
This metadata URL typically comes on the format https://<idp-server-url>/.well-known/openid-configuration, and exposes a JSON document describing the necessary information for the client to perform the steps in the protocol. The typical values described in the metadata document are below:

5. Scopes

These are the scopes we were able to fetch from the metadata. You can add scope values from a list, start typing to add your own or unselect them. A minimum of one scope value is required. The openid scope is needed for the authorization code flow to work at all.

 

Configure Other Identity Provider

EXTERNAL

Kantega SSO uses client-secret Basic Auth to authorize as a Client / Relying Party with the Identity Provider. You might have to set this mode in the identity provider side to accept requests from Kantega SSO. For example in an IDP like Keycloak, this authentication mode has to be specifically selected:

To register Kantega SSO as an OpenID Connect Client on your Identity Provider, you must create a “client” on your tenant and obtain the client ID. The Client will also usually need credentials to have authenticated access, this can usually be found under a page called “Credentials” or “Secrets”.

Go back to the Kantega SSO setup wizard, and paste these values into the GUI of the setup wizard.

6. Credentials

 

(Note that only Client ID is needed on the client-side. Even though we recommend that you protect your client behind authentication, it is possible to add public clients as well. In that case continue with an empty Client secret field.)

7. Summary

Check that everything looks good and submit your setup

 

Test

Test that logging in with your Identity Provider works as expected. This will help identify if there are any issues with the configuration. Follow the steps to perform the login test, and then analyze the results on the test results page.