Configure generic SSO for Dev Portal
You can configure single sign-on (SSO) for Konnect Dev Portal with OpenID Connect (OIDC) or SAML. This allows developers to log in to Dev Portals by using their IdP credentials, without needing a separate login.
This page provides general instructions for configuring SSO across identity providers. See Set Up SSO with Okta for specific instructions on setting up SSO with Okta.
Keep the following in mind when configuring SSO for Dev Portal:
- Developers are auto-approved by Konnect when they use SSO to log in to the Dev Portal. This is because Kong outsources the approval process to the IdP instance when using SSO. Therefore, you should restrict who can sign up from the IdP rather than through Konnect.
- If you plan on using team mappings from an IdP, they must be from the same IdP instance as your SSO.
- If you have multiple Dev Portals, keep in mind that each Dev Portal has a separate SSO configuration. You can use the same IdP for multiple Dev Portals or different IdPs per Dev Portal.
- Dev Portal SSO is different than the SSO for Konnect. If you want to use SSO to log in to Konnect, you must configure that separately.
It is recommended to use a single authentication method, however, Konnect supports the ability to combine built-in authentication with either OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported. Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after successfully testing the configurations in these guides.
Prerequisites
- Konnect must be added to your IdP as an application
- Users that need to use SSO are added to your IdP tenant
- Claims are set up in your IdP
Set up SSO in Konnect
Test and apply the configuration
Important: Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after successfully testing IdP authentication.
Test the SSO configuration by navigating to the callback URL for your Dev Portal. For example: https://{portalId}.{region}.portal.konghq.com/login
.
If the configuration is correct, you will see the IdP sign-in page.
You can now manage your organization’s user permissions entirely from the IdP application.
Troubleshooting
Troubleshooting authentication issues with large numbers of groups
If users are assigned a very large number of groups (over 150 in most cases), the IdP may send the groups claim in a non-standard manner, causing authentication issues.
To work around this limitation in the IdP, we recommend using group filtering functions provided by the IdP for this purpose. Here are some quick reference guides for common IdPs:
You may need to contact the support team of your identity provider in order to learn how to filter groups emitted for the application.