Through custom SSO, you can conveniently add the required IdPs according to your own needs. Currently, we support the common IdPs based on OpenID Connect. The following will take the well-known KeyCloak as an example to illustrate the detailed configuration.
Login to your KeyCloak portal.
Click Create Realm to create a realm.
Give your realm a name, and then click Create.
Under the new Realm, go to Clients to create a client.
In the General settings, select OpenID Connect as the Client type, customize your Client ID, then click Next.
In the Capability config, turn on the Client authentication and Authorization. For the Authentication flow, select the Standard flow, Direct access grants, Implicit flow, and Service accounts roles. Then click Next.
In the Login settings, fill in Valid redirect URIs. Then click Save.
Valid redirect URIs can be acquired in CX system. You need to set the name of your custom Application first, because the Authorized Redirect URL will be generated according to your App Name.
Obtain the Client ID and Client Secret.
Enter the Client ID and Client secret.
Under the new Realm, you need to create a user for SSO login.
Go to Users to create a new user.
Enter the user's name then click Create.
Set a password for the user.
Go to https://{your_keycloak_domain}/realms/{realmname}/.well-known/openid-configuration to get URL information for CX system connection.
In the Scope input box, you can fill in Openid, profile, email.
Scope indicates the value that the cx system is allowed to obtain from KeyCloak. Openid is required, profile and email are optional.
Select the tenants that will be allowed to use this custom application for SSO login.
Only tenants with subdomains and SSO permissions enabled can be selected.
If you select Allow the system administrator to use this connection, the system administrator and other tenants who do not have subdomains enabled can use this custom application.
Turn on the Application and then click Save.