# Zitadel as IDP for OIDC-SSO

To set up the IDP you need a running instance of Zitadel.

# Preamble

The Enterprise Edition (EE) server and client support the OIDC protocol that allows you to configure an external service as IDP (identity provider) for SSO (single sign on). This guide here will explain how to configure Zitadel (opens new window) as OIDC-IDP for SSO. We assume that:

  • your Zitadel instance is running on https://test.zitadel.cloud
  • your webclient can be accessed on https://psono.example.com
  • the server is reachable at https://psono.example.com/server (e.g. https://psono.example.com/server/info/ shows you some nice json output).

This is your first OIDC provider that you want to configure (therefore we give it the ID "1").

TIP

This feature is only available in the Enterprise Edition.

# Zitadel

  1. Create a new application

    Zitadel create application

  2. Configure the application

    Specify a name and select "Web" as type

    Zitadel specify name and Web as type

    As authentication method choose "Code"

    Zitadel choose code as authenticaiton method

    Add https://psono.example.com/server/oidc/<provider_id>/callback/ as redirect URI (adjust accordingly).

    Zitadel choose code as authenticaiton method

    Check that the overview matches now the one on the screenshot.

    Zitadel check overview

    Copy the client id and client secret. We will need them in the next step.

    Zitadel copy client id and client secret

  3. Add roles

    To create a role (or group if you want to call it like that) click on the left side on "Roles" and then click on the blue "New" button in the middle.

    Zitadel add roles

  4. Add Authorizations

    To assign roles to groups click on Authorizations on the left side of the menu and then again use the blue "New" button to assign a role to a user.

    Zitadel add authorizations

  5. Create Action

    At the top click on Actions and the nagain use the blue "New" button to create an action.

    Zitadel add authorizations

    Configure the action with the name flatGroups and the following content:

    function flatGroups(ctx, api) {
       if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
           return;
       }
       
       let groups = [];
       ctx.v1.user.grants.grants.forEach(claim => {
          claim.roles.forEach(role => {
            grants.push(role+':'+claim.projectId)  
          })
       })
       
       api.v1.claims.setClaim('groups', groups)
    }
    

    It then should look like this:

    Zitadel add authorizations

  6. Configure Flow

    At the bottom choose flow type "Complement Token" and then use the blue "Add Trigger" button to configure one for "Pre Userinfo creation":

    Zitadel add authorizations

    Repeat the process and configure another Trigger for "Pre access token creation":

    Zitadel add authorizations

# Server (settings.yaml)

After setting up the IDP for the OIDC-Authentication it is time to configure your running Psono server to act as the SP. It is required that Psono can reach Zitadel.

Edit the settings.yml like so:

# Make sure the 'OIDC'-entry is present in the following list
AUTHENTICATION_METHODS: ['OIDC']

OIDC_CONFIGURATIONS:
    1:
      OIDC_RP_SIGN_ALGO: 'RS256'
      OIDC_RP_CLIENT_ID: 'YOUR_CLIENT_ID'
      OIDC_RP_CLIENT_SECRET: 'YOUR_CLIENT_SECRET'
      OIDC_OP_JWKS_ENDPOINT: 'https://test.zitadel.cloud/oauth/v2/keys'
      OIDC_OP_AUTHORIZATION_ENDPOINT: 'https://test.zitadel.cloud/oauth/v2/authorize'
      OIDC_OP_TOKEN_ENDPOINT: 'https://test.zitadel.cloud/oauth/v2/token'
      OIDC_OP_USER_ENDPOINT: 'https://test.zitadel.cloud/oidc/v1/userinfo'
      OIDC_ALLOWED_REDIRECT_URLS: ['https://test.zitadel.cloud/']

The Zitadel endpoints can be found on the ".well-known"-page (e.g. https://test.zitadel.cloud/.well-known/openid-configuration) of your installation. Replace the client id and client secret with the one provided by Zitadel.

TIP

Always restart the server after making changes in the setting.yml-file.

# Client (config.json)

Now you have to configure your client, so your users can use this configured IDP.

  1. Basic

    Update your config.json similar to the one shown below.

    {
      ...
        "authentication_methods": ["OIDC"],
        "oidc_provider": [{
          "title": "OIDC Login",
          "provider_id": 1,
          "button_name": "Login "
        }]
      ...
    }
    

    The variable authentication_methods restricts the allowed login methods. In the example above only OIDC will be allowed and the normal login "hidden". The title and button_name can be adjusted however you like. The provider_id needs to match the one that you used on your server.

  2. (optional) Automatic login

    You may want to "automatically" click on the login button to initiate the login flow. You can accomplish this by modifying the config.json as shown below:

    {
      ...
        "authentication_methods": ["OIDC"],
        "auto_login": true,
      ...
    }
    

    WARNING

    This will only work if you have just one provider configured with only one authentication method. Users won't be able to modify the server url nor choose to register or interact with the login form in any other way.