OpenID connect - IDP setup

OpenID Connect (OIDC) is an open identity authentication protocol that works on top of the OAuth 2.0 framework. OIDC allows individuals to use SSO to access relying party sites.

This guide explains how users can configure their OpenID Connect (OIDC) settings with their identity provider.

Below is an example with Okta.

STEP 1: Create a New OpenID Application

Create a new OpenID Connect application with Okta that you can use as the Identity Provider for users.

STEP 2: Go to the Admin Portal ➜ SSO

STEP 3: Configure IDP

Choose Open ID Connect as IDP method and copy the Redirect URI.

Use Redirect URI from the Admin portal as Sign-in redirect URIs on Okta:

Get the Client ID and secret from your Okta application and insert them in the Admin portal OpenId configuration.

OpenID Connect parameters overview:

Configuration Description

  • Issuer URL - This is a URL that is given by the IDP. This URL provides instructions on how to communicate with the IDP. If you are unsure you have the right URL, insert in in the issues URL field and it will be validated automatically.
  • Client ID - The clientId is given by the IDP. This allows the IDP to identify who is requesting to authenticate.
  • Secret Key - The secret key allows authentication with the IDP to validate the user who tries to log in. It must correspond to the secret key inserted for the clientId.
  • Redirect URI - This is a pre-configured value that lets the IDP know where it should return the user after the user is authenticated within the IDP. The redirect URI value must be configured in the IDP itself.

STEP 4: Claim Domain

After configuring the identity provider, you will need to claim one or more domains for the account. This step is required in order to avoid abuse of a domain.

The domain is the same domain you login with. For example, ours would be streamkap.com

The domain needs to be claimed by copying the TXT record and applying it to your DNS provider. If you cannot obtain access to your organization's DNS, please contact your application Administrator.

You can configure multiple domains for an account. This can be useful if you're using multiple environments for development or multiple production applications on separate domains and need the SSO connection to cover several domains.

STEP 5: Manage Authorization

Select which roles should be assigned to SSO users by default and map IDP groups to specific roles. Roles you assign to users through SSO will apply regardless of whatever additional roles you assign to those users.

Default SSO Roles

Assign default roles to all SSO users by adding one or more Frontegg roles from your list of predefined roles.

STEP 6: Mapping Groups to Roles (Optional)

Mapping groups to roles with OpenID connect is currently only possible for the application owner via Frontegg APIs or using Frontegg Backoffice.

Step 7: Save the SSO connection

Save the connection and make sure that it is enabled

Now all users with the domain that was configured for the connection, will be redirected to their IDP when they will try to sign in.