Set up SSO with OpenID Connect
As an alternative to Kong Konnect’s native authentication, you can set up single sign-on (SSO) access to Konnect through an identity provider (IdP) with OpenID Connect. This authentication method allows your users to log in to Kong Konnect using their IdP credentials, without needing a separate login.
You can’t mix authentication methods in Kong Konnect. With IdP authentication enabled, all non-admin Konnect users have to log in through your IdP. Only the Konnect org owner can continue to log in with Konnect’s native authentication.
Prerequisites
- Konnect must be added to your IdP as an application
- Claims are set up in your IdP
Set up SSO in Konnect
-
In Kong Konnect, click
Settings, and then Auth Settings.
-
Click Configure provider for OIDC.
-
Paste the issuer URI from your IdP in the Issuer URI box.
-
Paste the client ID from your IdP in the Client ID box.
-
Paste the client secret from your IdP in the Client Secret box.
-
In the Organization Login Path box, enter a unique string. For example:
examplepath
.Konnect uses this string to generate a custom login URL for your organization.
Requirements:
- The path must be unique across all Konnect organizations. If your desired path is already taken, you must to choose another one.
- The path can be any alphanumeric string.
- The path does not require a slash (
/
).
-
Click Save.
Test and apply the configuration
Important: Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after successfully testing IdP authentication.
You can test the SSO configuration by navigating to the login URI based on the organization login path you set earlier. For example: cloud.konghq.com/login/examplepath
. If your configuration is set up correctly, you will see the IdP sign-in window.
You can now manage your organization’s user permissions entirely from the IdP application.