SSO Provider Setup Guide

Overview

This guide provides step-by-step instructions for setting up common SSO providers with Lager Guru.

Table of Contents

• Azure AD (Microsoft Entra ID)
• Okta
• Auth0
• Keycloak
• Generic OIDC Provider
• Generic SAML Provider

Azure AD (Microsoft Entra ID)

OIDC Configuration

1. Register Application in Azure AD

   • Go to Azure Portal → Azure Active Directory → App registrations
   • Click "New registration"
   • Name: "Lager Guru"
   • Supported account types: Select appropriate option
   • Redirect URI: https://your-domain.com/auth/callback/oidc?provider_id={provider_id}&tenant_id={tenant_id}

2. Get Application Credentials

   • Note the Application (client) ID
   • Go to "Certificates & secrets" → Create a new client secret
   • Copy the Value (not the Secret ID) - this is your client secret

3. Get OIDC Endpoints

   • Go to "Endpoints" in your app registration
   • Copy the OpenID Connect metadata document URL
   • Format: https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration

4. Configure in Lager Guru

   • Type: OpenID Connect (OIDC)
   • Issuer: https://login.microsoftonline.com/{tenant-id}/v2.0
   • Client ID: Your Application (client) ID
   • Client Secret: Your client secret value
   • Metadata URL: The OpenID Connect metadata document URL
   • Scopes: openid profile email

SAML Configuration

1. Register Enterprise Application

   • Go to Azure Portal → Azure Active Directory → Enterprise applications
   • Click "New application" → "Non-gallery application"
   • Name: "Lager Guru"

2. Configure Single Sign-On

   • Go to "Single sign-on" → "SAML"
   • Basic SAML Configuration:
     • Identifier (Entity ID): Your Lager Guru Service Provider Entity ID
     • Reply URL (Assertion Consumer Service URL): https://your-domain.com/auth/callback/saml?provider_id={provider_id}&tenant_id={tenant_id}

3. Get SAML Metadata

   • Download the "Federation Metadata XML" or use the "App Federation Metadata Url"

4. Configure in Lager Guru

   • Type: SAML 2.0
   • Issuer: Entity ID from Azure AD
   • Client ID: Your Lager Guru Service Provider Entity ID
   • Metadata URL: App Federation Metadata Url from Azure AD

Okta

OIDC Configuration

1. Create Application

   • Go to Okta Admin → Applications → Applications
   • Click "Create App Integration"
   • Sign-in method: OIDC - OpenID Connect
   • Application type: Web Application
   • Grant types: Authorization Code, Refresh Token
   • Sign-in redirect URIs: https://your-domain.com/auth/callback/oidc?provider_id={provider_id}&tenant_id={tenant_id}

2. Get Credentials

   • Client ID: Found in the "General" tab
   • Client Secret: Found in the "General" tab (click "Show client secret")

3. Get OIDC Endpoints

   • Go to "Settings" → "API" → "Authorization Servers"
   • Copy the "Issuer" URL
   • Metadata URL: {issuer}/.well-known/openid-configuration

4. Configure in Lager Guru

   • Type: OpenID Connect (OIDC)
   • Issuer: Your Okta issuer URL
   • Client ID: Your Okta client ID
   • Client Secret: Your Okta client secret
   • Metadata URL: The OpenID Connect metadata URL
   • Scopes: openid profile email

SAML Configuration

1. Create Application

   • Go to Okta Admin → Applications → Applications
   • Click "Create App Integration"
   • Sign-in method: SAML 2.0
   • App name: "Lager Guru"

2. Configure SAML Settings

   • Single sign-on URL: https://your-domain.com/auth/callback/saml?provider_id={provider_id}&tenant_id={tenant_id}
   • Audience URI (SP Entity ID): Your Lager Guru Service Provider Entity ID
   • Name ID format: EmailAddress
   • Application username: Email

3. Get SAML Metadata

   • Go to "Sign On" tab → "View SAML setup instructions"
   • Copy the "Identity Provider metadata" URL or download the XML

4. Configure in Lager Guru

   • Type: SAML 2.0
   • Issuer: Entity ID from Okta
   • Client ID: Your Lager Guru Service Provider Entity ID
   • Metadata URL: Identity Provider metadata URL from Okta

Auth0

OIDC Configuration

1. Create Application

   • Go to Auth0 Dashboard → Applications → Applications
   • Click "Create Application"
   • Name: "Lager Guru"
   • Type: Regular Web Application

2. Configure Application

   • Allowed Callback URLs: https://your-domain.com/auth/callback/oidc?provider_id={provider_id}&tenant_id={tenant_id}
   • Allowed Logout URLs: https://your-domain.com/auth/logout

3. Get Credentials

   • Client ID: Found in the "Settings" tab
   • Client Secret: Found in the "Settings" tab

4. Get OIDC Endpoints

   • Issuer: https://{your-domain}.auth0.com/
   • Metadata URL: https://{your-domain}.auth0.com/.well-known/openid-configuration

5. Configure in Lager Guru

   • Type: OpenID Connect (OIDC)
   • Issuer: Your Auth0 domain
   • Client ID: Your Auth0 client ID
   • Client Secret: Your Auth0 client secret
   • Metadata URL: The OpenID Connect metadata URL
   • Scopes: openid profile email

Keycloak

OIDC Configuration

1. Create Client

   • Go to Keycloak Admin Console → Clients → Create
   • Client ID: "lager-guru"
   • Client Protocol: openid-connect
   • Access Type: confidential

2. Configure Client

   • Valid Redirect URIs: https://your-domain.com/auth/callback/oidc?provider_id={provider_id}&tenant_id={tenant_id}
   • Web Origins: https://your-domain.com

3. Get Credentials

   • Go to "Credentials" tab
   • Client ID: The client ID you created
   • Client Secret: The secret shown in the "Credentials" tab

4. Get OIDC Endpoints

   • Issuer: https://{keycloak-server}/realms/{realm-name}
   • Metadata URL: https://{keycloak-server}/realms/{realm-name}/.well-known/openid-configuration

5. Configure in Lager Guru

   • Type: OpenID Connect (OIDC)
   • Issuer: Your Keycloak realm issuer URL
   • Client ID: Your Keycloak client ID
   • Client Secret: Your Keycloak client secret
   • Metadata URL: The OpenID Connect metadata URL
   • Scopes: openid profile email

Generic OIDC Provider

For any OIDC-compliant provider:

1. Obtain Provider Information

   • Issuer URL: Base URL of your OIDC provider
   • Client ID: Your application's client identifier
   • Client Secret: Your application's client secret
   • Metadata URL: {issuer}/.well-known/openid-configuration

2. Configure Redirect URI

   • In your OIDC provider, add redirect URI: https://your-domain.com/auth/callback/oidc?provider_id={provider_id}&tenant_id={tenant_id}

3. Configure in Lager Guru

   • Type: OpenID Connect (OIDC)
   • Issuer: Your OIDC provider's issuer URL
   • Client ID: Your client ID
   • Client Secret: Your client secret
   • Metadata URL: Your OIDC discovery endpoint
   • Scopes: openid profile email (or as required by your provider)

Generic SAML Provider

For any SAML 2.0-compliant provider:

1. Obtain Provider Information

   • Entity ID / Issuer: Your SAML identity provider's entity ID
   • Metadata URL: URL where your SAML provider publishes metadata

2. Configure Service Provider Settings

   • In your SAML provider, configure:
     • Entity ID: Your Lager Guru Service Provider Entity ID
     • ACS URL: https://your-domain.com/auth/callback/saml?provider_id={provider_id}&tenant_id={tenant_id}
     • Name ID Format: EmailAddress (recommended)

3. Configure in Lager Guru

   • Type: SAML 2.0
   • Issuer: Your SAML provider's entity ID
   • Client ID: Your Lager Guru Service Provider Entity ID
   • Metadata URL: Your SAML provider's metadata URL

Testing

After configuration:

1. Go to the login page
2. Click "Mit Unternehmens-SSO anmelden"
3. You should be redirected to your SSO provider
4. After authentication, you should be redirected back and signed in

Support

For provider-specific issues, consult your identity provider's documentation or contact support.