SSO for Dashboard
API7 Dashboard supports Single Sign-On (SSO) to centralize user management and improve security. By integrating with your corporate identity provider (IdP), users can log in to the dashboard using their existing credentials, eliminating the need for separate dashboard accounts.
Supported Protocols
| Protocol | Description | Common Providers |
|---|---|---|
| OIDC | OpenID Connect, a modern OAuth 2.0-based protocol | Keycloak, Microsoft Entra ID, Auth0, Okta |
| SAML | SAML 2.0, an XML-based federation protocol | Microsoft Entra ID, Okta, Ping Identity, ADFS |
| LDAP | Lightweight Directory Access Protocol, direct directory authentication | OpenLDAP, Microsoft Active Directory, FreeIPA |
| CAS | Central Authentication Service | Apereo CAS |
Key Capabilities
- Multiple Login Options: Configure multiple SSO providers simultaneously. Users see all enabled options on the login page.
- Automatic Role Mapping: Map IdP attributes (user fields, group memberships) to API7 roles, synchronized on each login.
- Permission Boundary Mapping: Automatically assign permission policies based on IdP attributes.
- Built-in Login: The built-in username/password login option can coexist with SSO providers or be disabled.
note
At least one login option must remain enabled at all times. You cannot delete or disable the last remaining enabled option.
Choosing a Protocol
- Use OIDC if your IdP supports it — it is the most widely adopted modern SSO protocol and offers the simplest integration.
- Use SAML if your organization requires SAML 2.0 federation (common in enterprises with Microsoft Entra ID or Okta).
- Use LDAP if you need to authenticate directly against a directory service without browser redirects (e.g., for environments where only CLI or programmatic access is available).
Getting Started
- Configure SSO with OIDC — Recommended for most deployments.
- Configure SSO with SAML — For SAML 2.0 federation requirements.
- Configure SSO with LDAP — For direct directory authentication.