Setting Up OpenID Connect Identity Provider for IDP

Single Sign-On (SSO) allows your users to access Retarus services using their existing corporate credentials. This removes the need to manage separate passwords and streamlines the login experience. By integrating your Identity Provider with Retarus IDP, you enable seamless authentication and ensure users automatically receive the appropriate permissions based on their roles.

To set up Single Sign-On (SSO) with Retarus IDP, provide the following information from your Identity Provider (IdP).

Discovery Endpoint

This endpoint contains important metadata required for the integration (e.g., token URL and authentication endpoint).

Example

JSON

{
  "authorization_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize",
  "token_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt"
  ],
  "jwks_uri": "https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys",
  "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
  "subject_types_supported": [
    "pairwise"
  ]
}

Client ID and Client Secret

Create these credentials in your Identity Provider (e.g., in an Entra ID application). Retarus uses them to authorize requests.

Roles and Group Claims

Define which role and group claim tokens your application includes in the access token. Retarus uses this information to configure role mappings in Keycloak.

Example

JSON

{
  "roles": ["admin", "editor", "viewer"]
}

Sample ID Token

If available, provide a sample ID token. It contains the user information sent during login and helps validate the configuration.

Once you supply these details, Retarus configures the integration, verifies the claims, and maps roles so that your users can authenticate with their existing credentials and automatically receive the correct permissions.