SSO Application--Customize (OIDC)

Owned by SUPPORT
Last updated: Nov 15, 2024
4 min read

Through custom SSO, you can conveniently add the required IdPs according to your own needs. Currently, we support the common IdPs based on OpenID Connect. The following will take the well-known KeyCloak as an example to illustrate the detailed configuration.

SSO Application--Customize (OIDC)

  1. Login to your KeyCloak portal.

  2. Click Create Realm to create a realm.

image-20241113-025844.png

  1. Give your realm a name, and then click Create.

image-20241113-030331.png

  1. Under the new Realm, go to Clients to create a client.

  1. In the General settings, select OpenID Connect as the Client type, customize your Client ID, then click Next.

  1. In the Capability config, turn on the Client authentication and Authorization. For the Authentication flow, select the Standard flow, Direct access grants, Implicit flow, and Service accounts roles. Then click Next.

  1. In the Login settings, fill in Valid redirect URIs. Then click Save.

Valid redirect URIs can be acquired in CX system. You need to set the name of your custom Application first, because the Authorized Redirect URL will be generated according to your App Name.

  1. Obtain the Client ID and Client Secret.

  1. Enter the Client ID and Client secret.

  1. Under the new Realm, you need to create a user for SSO login.

  • Go to Users to create a new user.

  • Enter the user's name then click Create.

  • Set a password for the user.

  1. Go to https://{your_keycloak_domain}/realms/{realmname}/.well-known/openid-configuration to get URL information for CX system connection.

  1. In the Scope input box, you can fill in openid,profile,email.

  • Scope indicates the value ​​that the CX system is allowed to obtain from KeyCloak. openid is required. For other scopes you want to add, you can copy from KeyCloak > Realm > Client scopes.

  • Each scope is separated by a comma and cannot contain any space ahead of or behind the comma.

  1. Select the tenants that will be allowed to use this custom application for SSO login.

  1. If you select Allow the system administrator to use this connection, the system administrator and other tenants who do not have subdomains enabled can use this custom application.

  2. Turn on the Application and then click Save.

Single Sign-On Using

  1. Click User Avatar, and select Edit Profile > Security Setting

  2. Select KeyCloak and click Connect button.

  1. If you have been bound to the KeyCloak account, you can log in the platform by KeyCloak account directly.