Skip to content
Kong Logo | Kong Docs Logo
search
  • Docs
    • Explore the API Specs
      View all API Specs View all API Specs View all API Specs arrow image
    • Documentation
      API Specs
      Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Konnect
  • Home icon
  • Kong Konnect
  • API
  • Identity Management
  • SSO Customization Options
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Overview
  • Configuration
  • Enable OIDC
    • Scopes
    • Claims
    • Team Mapping

SSO Customization Options

Overview

As an alternative to Konnect’s native authentication, you can set up single sign-on (SSO) access to Konnect using any identity provider (IdP) that uses OpenID Connect. This authentication method allows your users to log in to Konnect using their existing SSO credentials, without needing a separate set of credentials unique to Konnect.

Configuration

In order to configure SSO for your konnect organization, you can leverage the following API call:

$ https --auth "${KONNECT_PAT}" --auth-type bearer PATCH \
  'global.api.konghq.com/v2/identity-provider' \
  issuer='https://myidp.com/oauth2' \
  login_path='example' \
  client_id='example-client-id' \
  client_secret='example-client-secret'
  
{
  "issuer": "https://myidp.com/oauth2",
  "login_path": "example",
  "client_id": "example-client-id",
  "client_secret": "example-client-secret",
  "scopes": [
    "openid",
    "email",
    "profile",
  ],
  "claim_mappings": {
    "name": "name",
    "email": "email",
    "groups": "groups"
  }
}

Enable OIDC

Once the SSO configuration has been set, you can enable the OIDC auth method with the authentication settings endpoint:

$ https --auth "${KONNECT_PAT}" --auth-type bearer PATCH \
  'global.api.konghq.com/v2/authentication-settings' \
  basic_auth_enabled=true
  
{
  "oidc_auth_enabled": true,
  "basic_auth_enabled": true
}

Once OIDC has been enabled. You can verify the configuration is valid by signing on at https://cloud.konghq.com/login/{login_path}.

Scopes

If we’d like to customize the list of scopes sent from the Konnect identity service to your IdP, we can configure the scopes attribute of our IdP configuration.

The openid scope is a required scope value as specified here.

$ https --auth "${KONNECT_PAT}" --auth-type bearer PATCH \
  'global.api.konghq.com/v2/identity-provider' \
  scopes[]='openid' \
  scopes[]='email' \
  scopes[]='profile' \
  scopes[]='custom-data'

{
  "issuer": "https://myidp.com/oauth2",
  "login_path": "example",
  "client_id": "example-client-id",
  "client_secret": "example-client-secret",
  "scopes": [
    "openid",
    "email",
    "profile",
    "custom-data"
  ],
  "claim_mappings": {
    "name": "name",
    "email": "email",
    "groups": "groups"
  }
}

Here we have updated our scopes attribute to include our new custom-data scope.

Claims

If we’d like to customize the mapping of required claim data to different claim values, we can update our claim_mappings attribute with our desired keys.

Given the following claim configuration:

  • Name: sub
  • Email: distinguishedName
  • Groups: domains

We can achieve this with the following request:

$ https --auth "${KONNECT_PAT}" --auth-type bearer PATCH \
  'global.api.konghq.com/v2/identity-provider' \
  claim_mappings[name]='sub' \
  claim_mappings[email]='distinguishedName' \
  claim_mappings[groups]='domains'

{
  "issuer": "https://myidp.com/oauth2",
  "login_path": "example",
  "client_id": "example-client-id",
  "client_secret": "example-client-secret",
  "scopes": [
    "openid",
    "email",
    "profile",
    "custom-data"
  ],
  "claim_mappings": {
    "name": "sub",
    "email": "distinguishedName",
    "groups": "domains"
  }
}

Here we have updated our claim_mappings attribute to reflect our desired data mapping.

Team Mapping

Konnect can automatically map IdP groups to Konnect teams using IdP team mapping.

For now, we can configure our admins to be mapped automatically to the Organization Admin Konnect team.

First we’ll fetch the admin team from Konnect.

$ https --auth "${KONNECT_PAT}" --auth-type bearer GET \
  'global.api.konghq.com/v2/teams?filter[name]=organization-admin'

{
    "data": [
        {
            "created_at": "2023-02-17T17:10:14Z",
            "description": "Allow managing all objects, users and roles in the organization.",
            "id": "06ad9adc-4b57-4c44-a64d-86547a39435b",
            "name": "organization-admin",
            "system_team": true,
            "updated_at": "2023-02-17T17:10:14Z"
        }
    ],
    "meta": {
        "...": {
            "number": 1,
            "size": 10,
            "total": 1
        }
    }
}

Then we can update our IdP group to Konnect team mappings.

$ https --auth "${KONNECT_PAT}" --auth-type bearer PUT  \
  'global.api.konghq.com/v2/identity-provider/team-mappings' \
  mappings:='[{"group":"company.konnect.admins","team_ids":["06ad9adc-4b57-4c44-a64d-86547a39435b"]}]'

{
    "mappings": [
        {
            "group": "company.konnect.admins",
            "team_ids": [
                "06ad9adc-4b57-4c44-a64d-86547a39435b"
            ]
        }
    ]
}

Here we have updated our claim_mappings attribute to reflect our desired data mapping of the company.konnect.admins group to the organization-admin Konnect team.

Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    Powering the API world

    Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

    • Products
      • Kong Konnect
      • Kong Gateway Enterprise
      • Kong Gateway
      • Kong Mesh
      • Kong Ingress Controller
      • Kong Insomnia
      • Product Updates
      • Get Started
    • Documentation
      • Kong Konnect Docs
      • Kong Gateway Docs
      • Kong Gateway Enterprise Docs
      • Kong Mesh Docs
      • Kong Insomnia Docs
      • Kong Konnect Plugin Hub
    • Open Source
      • Kong Gateway
      • Kuma
      • Insomnia
      • Kong Community
    • Company
      • About Kong
      • Customers
      • Careers
      • Press
      • Events
      • Contact
  • Terms• Privacy• Trust and Compliance
© Kong Inc. 2023