Skip to content
Kong Docs are moving soon! Our docs are migrating to a new home. You'll be automatically redirected to the new site in the future. In the meantime, view this page on the new site!
Kong Logo | Kong Docs Logo
  • Docs
    • Explore the API Specs
      View all API Specs View all API Specs View all API Specs arrow image
    • Documentation
      API Specs
      Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong AI Gateway
      Multi-LLM AI Gateway for GenAI infrastructure
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      AI's icon
      AI
      Govern, secure, and control AI traffic with multi-LLM AI Gateway plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Konnect
  • Home icon
  • Kong Konnect
  • Org Management
  • Configure generic SSO for a Konnect Org
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Kong AI Gateway
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • Introduction
    • Overview of Konnect
    • Architecture
    • Network Resiliency and Availability
    • Port and Network Requirements
    • Private Connections to Other Cloud Providers
      • Create a private connection with AWS PrivateLink
    • Geographic Regions
    • Centralized consumer management
    • Compatibility
    • Stages of Software Availability
    • Release Notes
    • Support
      • Control Plane Upgrades FAQ
      • Supported Installation Options
  • Get Started
    • Overview
    • Add your API
    • Migrating a Self-Managed Kong Gateway into Konnect
  • Gateway Manager
    • Overview
    • Dedicated Cloud Gateways
      • Overview
      • Provision a Dedicated Cloud Gateway
      • Securing Backend Traffic
      • Transit Gateways
      • Azure VNET Peering
      • Custom Domains
      • Custom Plugins
      • Data plane logs
    • Serverless Gateways
      • Overview
      • Provision a serverless Gateway
      • Securing Backend Traffic
      • Custom Domains
    • Data Plane Nodes
      • Installation Options
      • Upgrade a Data Plane Node
      • Verify a Data Plane Node
      • Secure Control Plane/Data Plane Communications
      • Renew Data Plane Certificates
      • Parameter Reference
      • Using Custom DP Labels
    • Control Plane Groups
      • Overview
      • Working with Control Plane Groups
      • Migrate Configuration into Control Plane Groups
      • Conflicts in Control Planes
    • Kong Gateway Configuration in Konnect
      • Overview
      • Manage Plugins
        • Overview
        • Adding Custom Plugins
        • Updating Custom Plugins
        • How to Create Custom Plugins
      • Create Consumer Groups
      • Secrets Management
        • Overview
        • Konnect Config Store
        • Set Up and Use a Vault in Konnect
      • Manage Control Plane Configuration with decK
    • Active Tracing
      • Overview
    • KIC Association
    • Backup and Restore
    • Version Compatibility
    • Troubleshooting
  • Mesh Manager
    • Overview
    • Create a mesh with the Kubernetes demo app
    • Federate a zone control plane to Konnect
    • Migrate a self-managed zone control plane to Konnect
  • Service Catalog
    • Overview
    • Integrations
      • Overview
      • Datadog
      • GitHub
      • GitLab
      • PagerDuty
      • SwaggerHub
      • Traceable
      • Slack
    • Scorecards
  • API Products
    • Overview
    • Product Documentation
    • Productize a Service
  • Dev Portal
    • Overview
    • Dev Portal Configuration Preparation
    • Create a Dev Portal
    • Sign Up for a Dev Portal Account
    • Publish an API to Dev Portal
    • Access and Approval
      • Manage Developer Access
      • Manage Developer Team Access
      • Add Developer Teams from IdPs
      • Manage Application Registrations
      • Configure generic SSO for Dev Portal
      • Configure Okta SSO for Dev Portal
    • Application Lifecycle
    • Register and create an application as a developer
    • Enable and Disable App Registration for API Product Versions
    • Dynamic Client Registration
      • Overview
      • Okta
      • Curity
      • Auth0
      • Azure
      • Custom IdP
    • Portal Management API Automation Guide
    • Audit Logging
      • Overview
      • Set up an Audit Log Webhook
      • Set up an Audit Log Replay Job
    • Portal Customization
      • Overview
      • About Self-Hosted Dev Portal
      • Host your Dev Portal with Netlify
      • Custom Domains
    • Dev Portal SDK
    • Troubleshoot
  • Advanced Analytics
    • Overview
    • Dashboard
    • Explorer
    • Analyze API Usage and Performance with Reports
    • Requests
  • Org Management
    • Plans and Billing
    • Authentication and Authorization
      • Overview
      • Teams
        • Overview
        • Manage Teams
        • Teams Reference
        • Roles Reference
      • Manage Users
      • Manage System Accounts
      • Personal Access Tokens
      • Social Identity Login
      • Org Switcher
      • Configure Generic SSO
      • Configure Okta SSO
      • Login Sessions Reference
      • Troubleshoot
    • Audit Logging
      • Overview
      • Set up an Audit Log Webhook
      • Set up an Audit Log Replay Job
    • Account and Org Deactivation
  • API
    • Overview
    • API Request API (Beta)
      • API Spec
    • API Products API
      • API Spec
    • Audit Logs API
      • API Spec
      • Audit Log Webhooks
    • Control Plane API
      • API Spec
    • Control Plane Configuration API
      • API Spec
    • Cloud Gateways API
      • API Spec
    • Identity API
      • API Spec
      • Identity Integration Guide
      • SSO Customization
    • Konnect Search API (Beta)
      • API Spec
    • Mesh Manager API
      • API Spec
      • Kong Mesh API Reference
    • Portal Client API
      • API Spec
    • Portal Management API
      • API Spec
    • Reference
      • Filtering
      • API Errors
  • Reference
    • Labels
    • Plugin Ordering Reference
    • Konnect Search
    • Terraform Provider
    • Audit Logs
    • Verify audit log signatures
    • IdP SAML attribute mapping
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Map Konnect teams to IdP groups
  • Prerequisites
  • Set up SSO in Konnect
  • Test and apply the configuration
  • Troubleshooting
  • Related links

Configure generic SSO for a Konnect Org

Kong Konnect provides built-in authentication, allowing you to setup users and teams for Konnect authentication and authorization. Alternatively, you can set up single sign-on (SSO) access to Konnect using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). These authentication methods allow your users to log in to Konnect using IdP authorization, without needing additional Konnect specific credentials. You can also configure a mapping between Okta group claims and Kong Konnect teams, allowing for Konnect user team assignments from within Okta.

This topic provides general instructions for configuring SSO across identity providers. See Configure Okta SSO specific instructions on setting up SSO with Okta.

It is recommended to use a single authentication method, however, Konnect supports the ability to combine built-in authentication with either OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported. Keep built-in authentication enabled while you are testing IdP authentication and only disable it after successfully testing your SSO configuration.

Map Konnect teams to IdP groups

Before you enable SSO, you have the option to map IdP groups to Konnect teams. By doing this, you can manage a user’s Konnect team membership directly through your IdP group membership.

After mapping is set up:

  • IdP users belonging to the mapped groups can log in to Konnect.
  • When a user logs into Konnect with their IdP account for the first time, Konnect automatically provisions an account with the relevant roles.
  • If your org already has non-admin Konnect users before mapping, on their next login they will be mapped to the teams defined by their IdP group membership.
  • An organization admin can view all registered users in Konnect, but cannot edit their team membership from the Konnect side. To manage automatically-created users, adjust user permissions through your IdP, or adjust the team mapping.

Any changes to the mapped IdP groups on the IdP-side are reflected in Kong Konnect. For example:

  • Removing a user from a group in your IdP also deactivates their Konnect account.
  • Moving a user from one group to another changes their team in Konnect to align with the new group-to-team mapping.

Prerequisites

  • Konnect must be added to your IdP as an application
  • Users that need to use SSO are added to your IdP tenant
  • Claims are set up in your IdP

Set up SSO in Konnect

OIDC
SAML

The Konnect OIDC integration allows you to configure various identity providers. While technically any OIDC-compliant provider can be used, the following have been verified:

  • Okta
  • Azure Active Directory
  • Oracle Identity Cloud Service
  • Keycloak
  1. In Kong Konnect, click organizations icon Organization > Settings, and then click the Authentication Scheme tab.

  2. Click Configure for OIDC.

  3. Paste the issuer URI from your IdP in the Issuer URI field.

  4. Paste the client ID from your IdP in the Client ID field.

  5. Paste the client secret from your IdP in the Client Secret field.

  6. In the Organization Login Path box, enter a unique string that will be used in the URL your users use to log in. For example: examplepath.

    Requirements:

    • The path must be unique across all Konnect organizations. If your desired path is already taken, you must to choose another one.
    • The path can be any alphanumeric string.
    • The path does not require a slash (/).
  7. Optional: You can configure custom IdP-specific behaviors in the Advanced Settings of the OIDC configuration form. The following options are available:
    • Scopes: Specify the list of scopes Konnect requests from the IdP. By default, Konnect requests the openid, email, and profile scopes. The openid scope is required and cannot be removed.
    • Claim Mappings: Customize the mapping of required attributes to a different claim in the id_token Konnect receives from the IdP. By default, Konnect requires three attributes: Name, Email, and Groups. The values in these attributes are mapped as follows:
      • name: Used as the Konnect account’s full_name.
      • email: Used as the Konnect account’s email.
      • groups: Used to map users to teams defined in the team mappings upon login.
  8. Optional: To map existing teams from IdP groups to Konnect, do the following:
    1. Configure group claims in your IdP application. Be sure to add the following to the scope: openid, email, profile
    2. In Kong Konnect, go to organizations icon Organization > Settings, click the Team Mappings tab and do at least one of the following:

      • To manage user and team memberships in Konnect from the Organization settings, select the Konnect Mapping Enabled checkbox.
      • To assign team memberships by the IdP during SSO login via group claims mapped to Konnect teams, select the IdP Mapping Enabled checkbox and enter your IdP groups in the relevant fields.

      You can hover over the info (i) icon beside each field to learn more about the team, or see the teams reference for more information.

      You must have at least one group mapped to save configuration changes.

    3. Click Save.
  9. After clicking Save, close the configuration dialog and from the OIDC context menu, click Enable OIDC.

The Konnect SAML integration allows you to configure various identity providers. While technically any SAML-compliant provider can be used, the following have been verified:

  • Okta
  • Azure Active Directory
  • Oracle Identity Cloud Service
  • Keycloak
  1. In Kong Konnect, click organizations icon Organization > Settings, and then click the Authentication Scheme tab.

  2. Click Configure for SAML.

  3. Enter the Metadata URL from your IdP in the IDP Metadata URL field.

  4. In the Login Path field, enter a unique string that will be used in the URL your users use to log in. For example: examplepath.

    Requirements:

    • The path must be unique across all Konnect organizations.
    • The path can be any alphanumeric string.
    • The path does not require a slash (/).
  5. After clicking Save, configure the SP Entity ID and Login URL on your SAML IdP.

  6. Optional: To map existing teams from IdP groups to Konnect, do the following:
    1. Configure group claims in your IdP application. Be sure to add the following to the scope: openid, email, profile
    2. In Kong Konnect, go to organizations icon Organization > Settings, click the Team Mappings tab and do at least one of the following:

      • To manage user and team memberships in Konnect from the Organization settings, select the Konnect Mapping Enabled checkbox.
      • To assign team memberships by the IdP during SSO login via group claims mapped to Konnect teams, select the IdP Mapping Enabled checkbox and enter your IdP groups in the relevant fields.

      Each Konnect team can be mapped to one IdP group.

      For example, if you have a service_admin group in your IdP, you might map it to the Service Admin team in Konnect. You can hover over the info (i) icon beside each field to learn more about the team, or see the teams reference for more information.

      You must have at least one group mapped to save configuration changes.

    3. Click Save.
  7. In Konnect, close the configuration dialog and click Enable SAML from the context menu.

Test and apply the configuration

Important: Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after successfully testing IdP authentication.

Test the SSO configuration by navigating to the login URI based on the organization login path you set earlier. For example: https://cloud.konghq.com/login/examplepath, where examplepath is the unique login path string set in the previous steps.

If the configuration is correct, you will see the IdP sign-in page.

You can now manage your organization’s user permissions entirely from the IdP application.

Troubleshooting

Troubleshooting authentication issues with large numbers of groups

If users are assigned a very large number of groups (over 150 in most cases), the IdP may send the groups claim in a non-standard manner, causing authentication issues.

To work around this limitation in the IdP, we recommend using group filtering functions provided by the IdP for this purpose. Here are some quick reference guides for common IdPs:

  • Azure group filtering
  • Okta group filtering

You may need to contact the support team of your identity provider in order to learn how to filter groups emitted for the application.

Related links

  • Configure generic SSO for Dev Portal
  • IdP SAML attribute mapping reference: Learn how Azure, Oracle Cloud, and KeyCloak attributes map to Konnect.
Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    Powering the API world

    Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

    • Products
      • Kong Konnect
      • Kong Gateway Enterprise
      • Kong Gateway
      • Kong Mesh
      • Kong Ingress Controller
      • Kong Insomnia
      • Product Updates
      • Get Started
    • Documentation
      • Kong Konnect Docs
      • Kong Gateway Docs
      • Kong Mesh Docs
      • Kong Insomnia Docs
      • Kong Konnect Plugin Hub
    • Open Source
      • Kong Gateway
      • Kuma
      • Insomnia
      • Kong Community
    • Company
      • About Kong
      • Customers
      • Careers
      • Press
      • Events
      • Contact
  • Terms• Privacy• Trust and Compliance
© Kong Inc. 2025