SSO Authentication
OpenID Connect (OIDC)
Connect any OIDC 1.0-compliant provider, such as a self-hosted Keycloak, Auth0, or PingFederate instance.
OpenID Connect (OIDC)
Use this for any OIDC 1.0-compliant provider that isn't covered by the dedicated Google/Microsoft/GitHub social options (for example, a self-hosted Keycloak, Auth0, or PingFederate instance).
-
In your IdP, register a new confidential OIDC client/application.
-
Set the Redirect URI to the Callback URL (
https://api.safeguard.sh/auth/api/v1/sso/callback). -
Collect the Authorization endpoint, Token endpoint, and UserInfo endpoint URLs (most providers publish these on a
/.well-known/openid-configurationdiscovery document), plus the Client ID and Client Secret. -
In Safeguard, click Add Provider → OpenID Connect and fill in:
Field Value Alias URL-safe id, e.g. keycloak,auth0Display Name Shown on the login screen Authorization URL From step 3 Token URL From step 3 User Info URL From step 3 Client ID From step 3 Client Secret From step 3 Default Scopes Defaults to openid profile email— leave as-is unless your provider requires more -
Click Save, then Test.