Safeguard.sh Documentation Center
SSO Authentication

OpenID Connect (OIDC)

Connect any OIDC 1.0-compliant provider, such as a self-hosted Keycloak, Auth0, or PingFederate instance.

OpenID Connect (OIDC)

Use this for any OIDC 1.0-compliant provider that isn't covered by the dedicated Google/Microsoft/GitHub social options (for example, a self-hosted Keycloak, Auth0, or PingFederate instance).

  1. In your IdP, register a new confidential OIDC client/application.

  2. Set the Redirect URI to the Callback URL (https://api.safeguard.sh/auth/api/v1/sso/callback).

  3. Collect the Authorization endpoint, Token endpoint, and UserInfo endpoint URLs (most providers publish these on a /.well-known/openid-configuration discovery document), plus the Client ID and Client Secret.

  4. In Safeguard, click Add Provider → OpenID Connect and fill in:

    FieldValue
    AliasURL-safe id, e.g. keycloak, auth0
    Display NameShown on the login screen
    Authorization URLFrom step 3
    Token URLFrom step 3
    User Info URLFrom step 3
    Client IDFrom step 3
    Client SecretFrom step 3
    Default ScopesDefaults to openid profile email — leave as-is unless your provider requires more
  5. Click Save, then Test.

On this page