Skip to content

OIDC Auth Plugin

The OIDC auth plugin connects Konduo Enterprise to an external OpenID Connect provider.

Common Uses

  1. Sign in through an internal or cloud identity provider
  2. Synchronize user profiles from OIDC claims
  3. Provide the basis for operator group and role mapping
  4. Separate local account operations from externally managed accounts

Highlights

  • Performs OIDC discovery, OAuth2 token exchange, ID token verification, and optional UserInfo lookup.
  • Checks JWKS readiness and reports issuer, endpoint, claim mapping, login gate, and key-count metadata without exposing secrets.
  • Uses authorization_code by default and supports the password grant only for trusted providers that explicitly enable it.
  • Keeps resource plugins such as Keycloak separate from login providers so Admin API credentials and login client credentials do not mix.

Before Registration

  • Prepare the OIDC issuer URL, client ID, and client secret.
  • Register the redirect URI in the identity provider.
  • Confirm the user identifier claim and group claim policy.

Operations Tips

  • Validate login and role mapping with a limited test group first.
  • Review Konduo settings when the provider certificate or issuer configuration changes.
  • Keep at least one local administrator account for recovery.
  • Claim mapping changes can affect login identifiers and existing external identity namespaces; validate them with a test provider before rollout.