Skip to content
|
Kong Konnect
github-edit-pageEdit this page
report-issueReport an issue

Configure generic SSO for Dev Portal

You can configure single sign-on (SSO) for Konnect Dev Portal with OpenID Connect (OIDC) or SAML. This allows developers to log in to Dev Portals by using their IdP credentials, without needing a separate login.

This page provides general instructions for configuring SSO across identity providers. See Set Up SSO with Okta for specific instructions on setting up SSO with Okta.

Keep the following in mind when configuring SSO for Dev Portal:

  • Developers are auto-approved by Konnect when they use SSO to log in to the Dev Portal. This is because Kong outsources the approval process to the IdP instance when using SSO. Therefore, you should restrict who can sign up from the IdP rather than through Konnect.
  • If you plan on using team mappings from an IdP, they must be from the same IdP instance as your SSO.
  • If you have multiple Dev Portals, keep in mind that each Dev Portal has a separate SSO configuration. You can use the same IdP for multiple Dev Portals or different IdPs per Dev Portal.
  • Dev Portal SSO is different than the SSO for Konnect. If you want to use SSO to log in to Konnect, you must configure that separately.

It is recommended to use a single authentication method, however, Konnect supports the ability to combine built-in authentication with either OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported. Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after successfully testing the configurations in these guides.

Prerequisites

  • Konnect must be added to your IdP as an application
  • Users that need to use SSO are added to your IdP tenant
  • Claims are set up in your IdP

Set up SSO in Konnect

The Konnect OIDC integration allows you to configure various identity providers. While technically any OIDC-compliant provider can be used, the following have been verified:

  • Okta
  • Azure Active Directory
  • Oracle Identity Cloud Service
  • Keycloak

  1. In Konnect Dev Portal, click the Dev Portal you want to configure SSO for, click Settings in the sidebar and then click the Identity tab.

  2. Click Configure for OIDC.

  3. Paste the issuer URI from your IdP in the Issuer URI field.

  4. Paste the client ID from your IdP in the Client ID field.

  5. Paste the client secret from your IdP in the Client Secret field.

  6. Optional: You can configure custom IdP-specific behaviors in the Advanced Settings of the OIDC configuration form. The following options are available:
    • Scopes: Specify the list of scopes Konnect requests from the IdP. By default, Konnect requests the openid, email, and profile scopes. The openid scope is required and cannot be removed.
    • Claim Mappings: Customize the mapping of required attributes to a different claim in the id_token Konnect receives from the IdP. By default, Konnect requires three attributes: Name, Email, and Groups. The values in these attributes are mapped as follows:
      • name: Used as the Konnect account’s full_name.
      • email: Used as the Konnect account’s email.
      • groups: Used to map users to teams defined in the team mappings upon login.

  7. Optional: Map existing developer teams from IdP groups to Konnect Dev Portal teams.

  8. After clicking Save, close the configuration dialog and from the OIDC context menu, click Enable OIDC.

The Konnect SAML integration allows you to configure various identity providers. While technically any SAML-compliant provider can be used, the following have been verified:

  • Okta
  • Azure Active Directory
  • Oracle Identity Cloud Service
  • Keycloak

  1. In Konnect Dev Portal, click the Dev Portal you want to configure SSO for, click Settings in the sidebar and then click the Identity tab.

  2. Click Configure for SAML.

  3. Enter the Metadata URL from your IdP in the IDP Metadata URL field.

  4. After clicking Save, configure the SP Entity ID and Login URL on your SAML IdP.

  5. Optional: Map existing developer teams from IdP groups to Konnect Dev Portal teams.

  6. In Konnect, close the configuration dialog and click Enable SAML from the context menu.

Test and apply the configuration

Important: Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after successfully testing IdP authentication.

Test the SSO configuration by navigating to the callback URL for your Dev Portal. For example: https://{portalId}.{region}.portal.konghq.com/login.

If the configuration is correct, you will see the IdP sign-in page.

You can now manage your organization’s user permissions entirely from the IdP application.

Troubleshooting

Troubleshooting authentication issues with large numbers of groups

If users are assigned a very large number of groups (over 150 in most cases), the IdP may send the groups claim in a non-standard manner, causing authentication issues.

To work around this limitation in the IdP, we recommend using group filtering functions provided by the IdP for this purpose. Here are some quick reference guides for common IdPs:

You may need to contact the support team of your identity provider in order to learn how to filter groups emitted for the application.