Skip to content

SSO

Single sign-on (SSO) enables users to access the platform quickly and efficiently.

The SSO integration supports OpenID Connect integration and Authentication Code Flow with PKCE.

If your company uses different email addresses, you can specify multiple domains and subdomains for integration, but a domain can only be handled by one authorization server (identity provider).

Important

  • Integration for shared email domains is not supported.
  • Users with SSO enabled cannot use or change their local password.
  • Even if SSO is enabled, users still need to be created (and assigned permissions) on the platform.

SSO integration applies globally to all users with email addresses in a configured domain, not per tenant. For example, configuring onekey.com covers everyone with email addresses ending in @onekey.com.

SSO setup

Configure the authorization server (identity provider) for the ONEKEY platform, with the following:

  • Authorization Code Flow (response_type: code)
  • Scope: "openid email"
  • Redirect URI: https://app.eu.onekey.com/callback
  • PKCE challenge method: S256

Info

The ID token returned by the token endpoint must contain the email claim, which must match the registered email on the ONEKEY platform.

Once you've finished configuration open a support ticket with the following information:

  • Client ID
  • Client Secret
  • The Authority URL where the OpenID Provider Configuration is located
Authority URL?

The .well-known/openid-configuration URL as specified by OpenID Connect. For example for AzureAD it is https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration).