SSO

Single sign-on enables users to access the platform quickly and efficiently.

The SSO integration supports OpenID Connect integration and Authentication Code Flow with PKCE.

If your company uses different email addresses, you can specify multiple domains and subdomains for integration, but a domain can only be handled by one authorization server (identity provider).

Important

Integration for shared email domains is not supported.

Users with SSO enabled cannot use or change their local password.

Users still need to be created (and assigned permissions) on the platform.

The integration is not tenant-specific but can be configured globally for a domain, applying to all users with email addresses within that domain. For instance, the domain onekey.com would cover all emails like user@onekey.com, but not subdomains such as user@sub.onekey.com.

SSO setup

Configure the authorization server (identity provider) for the ONEKEY platform, with the following:

• Authorization Code Flow (response_type: code)
• Scope: "openid email"
• Redirect URI: https://app.eu.onekey.com/callback
• PKCE challenge method: S256

Info

The ID token returned by the token endpoint must contain the email claim, which must match the registered email on the ONEKEY platform.

Once you've finished configuration open a support ticket with the following information:

• Client ID
• Client Secret
• The Authority URL where the OpenID Provider Configuration is located

Authority URL?

The .well-known/openid-configuration URL as specified by OpenID Connect. For example for AzureAD it is https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration).