Skip to content

Single Sign-On (SSO)

CxReports supports Single Sign-On (SSO) authentication through multiple providers, allowing users to authenticate using their existing organizational credentials.

Supported SSO Providers

Google Login (^1.13.0)

Google SSO for Google Workspace integration. Configure in Google Cloud Console under APIs & Services > Credentials.

Microsoft Login (^1.13.0)

Microsoft SSO for Entra ID (Azure AD) and Microsoft 365 accounts. Configure in Azure Portal under App registrations.

OpenID Connect (^1.21.5)

OpenID Connect (OIDC) support for SSO authentication with providers such as Keycloak, Okta, and other OIDC-compliant identity providers. Configure using the OidcConfig settings in appsettings.json.

Configuration

All SSO providers are configured through the appsettings.json file. For detailed configuration options, see Application Settings.

The PasswordLogin setting can be used to hide the username/password login form when you want users to authenticate exclusively through SSO providers like Microsoft, Google, or OpenID Connect providers.

{
  "GoogleLogin": {
    "Enabled": true,
    "SupportedDomains": ["your-domain.com"],
    "ClientId": "your-client-id",
    "ClientSecret": "your-client-secret"
  },
  "MicrosoftLogin": {
    "Enabled": true,
    "SupportedDomains": ["your-domain.com"],
    "ClientId": "your-client-id",
    "ClientSecret": "your-client-secret",
    "TenantId": "your-tenant-id"
  },
  "OidcConfig": {
    "Authority": "<authority>",
    "ClientId": "<clientId>",
    "ClientSecret": "<clientSecret>",
    "Audience": "<audience>",
    "Issuer": "<issuer>"
  },
  "PasswordLogin": {
    "Enabled": true
  }
}

OpenID Connect Configuration Examples

Keycloak

For Keycloak integration, configure the authentication provider and configure the OidcConfig section with your Keycloak realm details:

{
  "OidcConfig": {
    "Authority": "https://<keycloak-domain>/realms/<realm-name>",
    "ClientId": "<client-id>",
    "ClientSecret": "<client-secret>",
    "Audience": "<audience>",
    "Issuer": "https://<keycloak-domain>/realms/<realm-name>"
  }
}

Configuration values:

  • Authority: Your Keycloak server URL with realm (e.g., https://keycloak.example.com/realms/myrealm)
  • ClientId: The Client ID from your Keycloak client configuration
  • ClientSecret: The Client Secret from your Keycloak client credentials
  • Issuer: Typically the same as Authority (your Keycloak realm URL)
  • Audience: Optional, only required if your Keycloak setup requires audience validation

Okta

For Okta integration, configure the authentication provider and configure the OidcConfig section with your Okta organization details:

{
  "OidcConfig": {
    "Authority": "https://<okta-domain>", // e.g. https://trial-1234567.okta.com/
    "ClientId": "<client-id>", // e.g. 0oa123456789012345678901234567890
    "ClientSecret": "<client-secret>", // e.g. 01234567890123456789012345678901234567890
    "Issuer": "https://<okta-domain>" // e.g. https://trial-1234567.okta.com/
  }
}

Configuration values:

  • Authority: Your Okta organization URL with authorization server (e.g., https://dev-123456.okta.com/oauth2/default)
  • ClientId: The Client ID from your Okta application
  • ClientSecret: The Client Secret from your Okta application
  • Issuer: Typically the same as Authority (your Okta authorization server URL)
  • Audience: Not required for Okta and can be omitted

Note: The Audience parameter is optional for both Keycloak and Okta. It should only be included if your identity provider configuration specifically requires audience validation.

Google Login Configuration

Redirect URI: When registering the app in Google Cloud Console, set the redirect URI to:

https://[your-domain]/signin-google

Claims mapping:

Claim Description
name User's display name
email User's email address

Microsoft Login Configuration

The TenantId field is optional and used for single-tenant applications. If omitted, the app accepts accounts from any Microsoft tenant (multi-tenant).

Redirect URI: When registering the app in Azure Portal, set the redirect URI to:

https://[your-domain]/signin-microsoft

Claims mapping:

Claim Description
name User's display name
email User's email address

Setup

  • Google: Create Google Cloud Project, enable OAuth 2.0, configure credentials, set redirect URI to https://[your-domain]/signin-google
  • Microsoft: Register app in Azure AD, configure permissions, generate client secret, set redirect URI to https://[your-domain]/signin-microsoft
  • Keycloak: Create a client in Keycloak realm, set access type to confidential, configure redirect URIs
  • Okta: Create an OIDC application in Okta Admin Console, configure redirect URIs, obtain client credentials

Security

Use HTTPS in production, store secrets securely, implement domain restrictions, and monitor authentication logs.

User Management

Users are automatically created upon first SSO login. User information is synchronized from the SSO provider while maintaining role and permission management within CxReports.