Styra DAS supports OpenID Connect for Single Sign On (SSO). Configure SSO using the following settings:
- Under WORKSPACE on the left-hand navigation panel, click
- Click Access Control tab.
- Click Single Sign-On Providers.
- Click OpenID Connect tab.
When you click the
Add OpenIDConnect Provider to create a new SSO provider, you must provide the following details:
- Provider name: The name for your identity provider setting, for example: "Corporate Okta". This name will be visible for the users on the login page.
- Issuer URL: Your identity provider.
- Client ID: Your identity provider.
- Client Secret: Your identity provider.
- Allowed Domains: The allowed authentication domain(s) of your users. For example,
tenant.com. If the identity provider supports multiple domains, only users with these domains are allowed to access the service.
- Scopes: The scopes that will be requested from the identity provider. By default, Styra will request the
The email scope is REQUIRED if your identity provider does not return an email in any of the returned claims.
Invited users only:
If enabled, the authenticated user must have a pre-existing account in the service.
If disabled, a new user account will be created just-in-time for any authenticated user, as long as the user's domain matches one of the allowed domains, and the identity provider has assigned this user to the Styra application.
Enabled: Set it to
Styra DAS supports using an SSO custom claim to uniquely identify a user rather than using the default
unique_claim field in
/v1/identity-providers to specify the SSO claim to be used as the unique identifier instead of the SSO user's email. If not set, Styra DAS will continue to use the value from the
When configuring a
unique_claim value, the associated value for
allowed_domains must be set to
Styra DAS admins must be careful to set the
unique_claim to an SSO claim that is unique for every user. Otherwise, multiple SSO-authenticated users may get assigned the same User ID within Styra DAS.