# Zitadel as IDP for OIDC-SSO
To set up the IDP you need a running instance of Zitadel.
# Preamble
The Enterprise Edition (EE) server and client support the OIDC protocol that allows you to configure an external service as IDP (identity provider) for SSO (single sign on). This guide here will explain how to configure Zitadel as OIDC-IDP for SSO. We assume that:
- your Zitadel instance is running on https://test.zitadel.cloud
- your webclient can be accessed on https://psono.example.com
- the server is reachable at https://psono.example.com/server (e.g. https://psono.example.com/server/info/ shows you some nice json output).
This is your first OIDC provider that you want to configure (therefore we give it the ID "1").
TIP
This feature is only available in the Enterprise Edition.
# Zitadel
Create a new application
Configure the application
Specify a name and select "Web" as type
As authentication method choose "Code"
Add
https://psono.example.com/server/oidc/<provider_id>/callback/
as redirect URI (adjust accordingly).Check that the overview matches now the one on the screenshot.
Copy the client id and client secret. We will need them in the next step.
# Server (settings.yaml)
After setting up the IDP for the OIDC-Authentication it is time to configure your running Psono server to act as the SP. It is required that Psono can reach Zitadel.
Edit the settings.yml like so:
# Make sure the 'OIDC'-entry is present in the following list
AUTHENTICATION_METHODS: ['OIDC']
OIDC_CONFIGURATIONS:
1:
OIDC_RP_SIGN_ALGO: 'RS256'
OIDC_RP_CLIENT_ID: 'YOUR_CLIENT_ID'
OIDC_RP_CLIENT_SECRET: 'YOUR_CLIENT_SECRET'
OIDC_OP_JWKS_ENDPOINT: 'https://test.zitadel.cloud/oauth/v2/keys'
OIDC_OP_AUTHORIZATION_ENDPOINT: 'https://test.zitadel.cloud/oauth/v2/authorize'
OIDC_OP_TOKEN_ENDPOINT: 'https://test.zitadel.cloud/oauth/v2/token'
OIDC_OP_USER_ENDPOINT: 'https://test.zitadel.cloud/oidc/v1/userinfo'
OIDC_ALLOWED_REDIRECT_URLS: ['https://test.zitadel.cloud/']
The Zitadel endpoints can be found on the ".well-known"-page (e.g. https://test.zitadel.cloud/.well-known/openid-configuration) of your installation. Replace the client id and client secret with the one provided by Zitadel.
TIP
Always restart the server after making changes in the setting.yml
-file.
# Client (config.json)
Now you have to configure your client, so your users can use this configured IDP.
Update your config.json similar to the one shown below.
{
...
"authentication_methods": ["OIDC"],
"oidc_provider": [{
"title": "OIDC Login",
"provider_id": 1,
"button_name": "Login "
}]
...
}
The variable authentication_methods restricts the allowed login methods. In the example above only OIDC will be allowed
and the normal login "hidden". The title and button_name can be adjusted however you like. The provider_id
needs
to match the one that you used on your server.