SSO with OIDC
This guide walks you through configuring Single Sign-On (SSO) for the API7 Dashboard using the OpenID Connect (OIDC) protocol. OIDC SSO allows users to authenticate with their existing corporate credentials, eliminating the need for separate dashboard accounts.
How It Works
- The user selects the OIDC login option on the dashboard login page.
- The browser redirects to the IdP authorization endpoint.
- After authentication, the IdP redirects back to the dashboard with an authorization code.
- The dashboard exchanges the code for tokens, retrieves user information, and creates or updates the user account.
- If role and permission boundary mappings are configured, they are applied on each login.
Prerequisites
Before you begin, ensure you have:
- A running API7 Gateway deployment with dashboard access.
- An OIDC-compliant identity provider (e.g., Keycloak, Microsoft Entra ID, Auth0, Okta).
- The following information from your IdP:
- Issuer URL: The OIDC discovery endpoint (without
/.well-known/openid-configuration). - Client ID: The application identifier registered in the IdP.
- Client Secret: The application secret.
- Issuer URL: The OIDC discovery endpoint (without
Step 1: Register API7 Dashboard in Your IdP
Register the API7 Dashboard as an OIDC client application in your identity provider:
-
Create a new application with the Authorization Code grant type (also called "standard flow" or "confidential client").
-
Set the redirect URI to:
https://<DASHBOARD_URL>/api/oidc/<LOGIN_OPTION_ID>/callback.noteThe
LOGIN_OPTION_IDis generated after creating the login option in API7 (Step 2). You may need to return to your IdP to update the redirect URI after completing Step 2. -
Record the Client ID, Client Secret, and Issuer URL for the next step.
See the Provider-Specific Configuration section below for detailed instructions for specific IdPs.
Step 2: Create an OIDC Login Option
- In the API7 Dashboard, navigate to Organization > Settings.
- Click Add Login Option.
- Fill in the configuration:
| Field | Description | Example |
|---|---|---|
| Name | Display name shown on the login page as "Login with {Name}" | Corporate SSO |
| Provider | Select OIDC | — |
| Issuer | Issuer URL of your OIDC provider (without /.well-known/openid-configuration) | https://idp.example.com/realms/my-realm |
| Client ID | Application identifier from your IdP | api7-dashboard |
| Client Secret | Application secret from your IdP | ******** |
| Request Scope | Space-separated list of scopes. openid is required. | openid profile email |
| Root URL | URL users use to access the dashboard. Must match the protocol, host, and port. | https://dashboard.example.com |
| SSL Verify | Whether to verify the IdP's TLS certificate | true |
| Logout URL | IdP's end_session_endpoint URL, optionally with post_logout_redirect_uri | https://idp.example.com/.../logout?post_logout_redirect_uri=https://dashboard.example.com |
| Attributes Mapping | Map IdP claims to API7 user fields: username, email, name | preferred_username, email, name |
- Click Add.
After creation, the login option displays its Callback URL. Copy this URL and register it as a redirect URI in your IdP (if not already done in Step 1).
Step 3: Verify SSO Login
- Sign out of the API7 Dashboard.
- On the login page, you should see a new option: Login with {Name}.
- Click it to authenticate through your IdP.
- After successful authentication, you are redirected back to the dashboard.
The SSO user appears under Organization > Users. By default, the user has no roles assigned and cannot manage resources until you configure role mapping or manually assign a role.
Deleting a user in the Dashboard removes their roles and permission boundaries, but the user can still log in again as a new user. To fully revoke access, remove the user from the IdP.
Configure Role Mapping
Role mapping automatically assigns API7 roles to SSO users based on attributes from the identity provider. This eliminates manual role assignment and keeps permissions synchronized.
Automatic role mappings take precedence over manual role assignments. When mappings are active, any manual changes are overwritten on the user's next login.
Step 1: Expose Role Attributes in Your IdP
Configure your IdP to include role-related attributes in the user info or token claims. The approach varies by IdP:
- User attribute: Add an attribute (e.g.,
position: admin) directly to the user profile. - Group membership: Add the user to a group (e.g.,
api7-admins) and expose group memberships as a claim.
See the Provider-Specific Configuration section for detailed instructions.
Step 2: Enable Role Mapping in API7
- In the API7 Dashboard, navigate to Organization > Settings.
- Select your OIDC login option.
- Enable Role Mapping.
- Configure the mapping rule:
| Field | Description | Example |
|---|---|---|
| Internal Role | The API7 role to assign | Super Admin |
| Role Attribute | JSONPath to the IdP attribute | $.position or $.groups[*] |
| Operation | Comparison method: Exact Match, Contains String, Exact Match in Array, or Contains String in Array | Exact Match |
| Role Value | Expected attribute value | admin |
- Click Enable.
Users with matching attributes are automatically assigned the specified role on their next login.
Permission Boundary Mapping
Permission boundary mapping works the same way as role mapping but assigns permission policies as boundaries instead of attaching roles. Enable Permission Boundary Mapping in the login option settings and configure the mapping rules with the same attribute-matching approach.
Provider-Specific Configuration
Keycloak
IdP Setup
- Create a realm (e.g.,
my-realm). - Create a client (e.g.,
api7-dashboard):- Enable client authentication (confidential access type).
- Enable standard flow (authorization code grant).
- Set the redirect URI to
https://<DASHBOARD_URL>/api/oidc/<LOGIN_OPTION_ID>/callback.
- In the client Credentials tab, copy the Client Secret.
- Create users with passwords as needed.
- In Realm Settings, find the OpenID Connect Discovery link and record:
- The
issuerURL (e.g.,https://keycloak.example.com/realms/my-realm). - The
end_session_endpointURL for the Logout URL.
- The
Attribute Mapping Configuration
| Attribute Mapping | IdP Claim | API7 Field |
|---|---|---|
| username | preferred_username | username |
email | email | |
| name | name | name |
Role Mapping via User Attribute
- Enable Unmanaged Attributes in Realm Settings.
- Navigate to the user's Attributes tab and add a key-value pair (e.g.,
position: admin). - In Client Scopes, select the scope included in your Request Scope (e.g.,
profile). - Add a User Attribute mapper:
- User Attribute:
position - Token Claim Name:
position
- User Attribute:
- In API7, use the mapping rule: Attribute
$.position, OperationExact Match, Valueadmin.
Role Mapping via Group Membership
- Create a group (e.g.,
admin) and add users to it. - In Client Scopes, add a Group Membership mapper:
- Token Claim Name:
groups
- Token Claim Name:
- In API7, use the mapping rule: Attribute
$.groups[*], OperationContains String, Valueadmin.
Microsoft Entra ID (Azure AD)
IdP Setup
- In the Azure portal, go to Microsoft Entra ID > App registrations and register a new application.
- Under Certificates & secrets, create a new client secret and save it.
- Find the OpenID Connect metadata document URL under Endpoints. Extract the issuer URL (e.g.,
https://login.microsoftonline.com/{tenant-id}/v2.0). - Under Authentication, add the redirect URI:
https://<DASHBOARD_URL>/api/oidc/<LOGIN_OPTION_ID>/callback.
Attribute Mapping Configuration
| Attribute Mapping | IdP Claim | API7 Field |
|---|---|---|
| username | preferred_username | username |
email | email | |
| name | name | name |
The issuer URL should not include /.well-known/openid-configuration.
Role Mapping
- Under App roles, create roles (e.g.,
SuperAdmin). - Under Enterprise applications, assign the role to users.
- In API7, use the mapping rule: Attribute
$.roles, OperationExact Match in Array, ValueSuperAdmin.
Auth0
IdP Setup
- Under Applications, create a Regular Web Application.
- Record the Client ID, Client Secret, and Domain (issuer).
- The issuer URL is
https://<DOMAIN>/(include the trailing slash). - Under the application Settings tab:
- Add the callback URL to Allowed Callback URLs.
- Add the dashboard URL to Allowed Logout URLs and Allowed Web Origins.
- Review the discovery document at
https://<DOMAIN>/.well-known/openid-configurationfor theend_session_endpoint.
Attribute Mapping Configuration
| Attribute Mapping | IdP Claim | API7 Field |
|---|---|---|
| username | name | username |
email | email | |
| name | name | name |
Role Mapping
Auth0 requires a post-login Action to include roles in the token claims:
- Under User Management > Roles, create a role (e.g.,
admin) and assign users. - Under Actions > Triggers, create a
post-loginaction:
exports.onExecutePostLogin = async (event, api) => {
const roles = (event.authorization && event.authorization.roles) || [];
const claimName = "https://dashboard.example.com/roles";
api.idToken.setCustomClaim(claimName, roles);
api.accessToken.setCustomClaim(claimName, roles);
};
- Attach the action to the Post Login trigger.
- In API7, use the mapping rule: Attribute
$['https://dashboard.example.com/roles'], OperationExact Match in Array, Valueadmin.
Delete a Login Option
Deleting a login option removes all dashboard users associated with that option.
- Navigate to Organization > Users and verify which users are associated with this login option.
- Navigate to Organization > Settings.
- Click Delete on the login option.
At least one login option must remain enabled at all times. You cannot delete or disable the last remaining enabled login option.