OIDC Auth Plugin
The OIDC auth plugin connects Konduo Enterprise to an external OpenID Connect provider.
Common Uses
- Sign in through an internal or cloud identity provider
- Synchronize user profiles from OIDC claims
- Provide the basis for operator group and role mapping
- Separate local account operations from externally managed accounts
Highlights
- Performs OIDC discovery, OAuth2 token exchange, ID token verification, and optional UserInfo lookup.
- Checks JWKS readiness and reports issuer, endpoint, claim mapping, login gate, and key-count metadata without exposing secrets.
- Uses
authorization_codeby default and supports thepasswordgrant only for trusted providers that explicitly enable it. - Keeps resource plugins such as Keycloak separate from login providers so Admin API credentials and login client credentials do not mix.
Before Registration
- Prepare the OIDC issuer URL, client ID, and client secret.
- Register the redirect URI in the identity provider.
- Confirm the user identifier claim and group claim policy.
Operations Tips
- Validate login and role mapping with a limited test group first.
- Review Konduo settings when the provider certificate or issuer configuration changes.
- Keep at least one local administrator account for recovery.
- Claim mapping changes can affect login identifiers and existing external identity namespaces; validate them with a test provider before rollout.