Dev Portal SSO

Uses: Dev Portal

Behavior and recommendations

When configuring SSO for Dev Portal, keep the following guidelines in mind:

Developers are auto-approved by Konnect when using SSO to log in to the Dev Portal.
- Kong outsources the approval process to the IdP, so access restrictions must be configured in the IdP.
If you are using team mappings from an IdP, they must come from the same IdP as your Dev Portal SSO.
To automatically initiate the login flow when linking developers to the Dev Portal, use the SSO URL: https://$YOUR_DOMAIN.com/login/sso
Each Dev Portal has its own SSO configuration.
- You can use the same IdP across multiple Dev Portals or configure different IdPs per portal.
Dev Portal SSO is distinct from Konnect Org-level SSO.
You can combine built-in authentication with either OIDC or SAML (not both).
- Keep built-in authentication enabled while testing your IdP integration.
- Disable built-in authentication only after successfully validating the SSO login flow.

Combining OIDC and SAML is not supported. Use only one protocol alongside built-in auth if needed.

To ensure the preview experience in the Konnect Dev Portal Editor works correctly, configure your IdP with the following:

Set the Sign On URL (SSO URL) to the login path of your Dev Portal’s domain: https://$YOUR_DOMAIN.com/login/sso
For SAML:
- Set the primary Reply URL (Assertion Consumer Service URL) to: https://$YOUR_DOMAIN.com/api/v2/developer/authenticate/saml/acs
- Add an additional Reply URL to support preview mode: https://$YOUR_SUBDOMAIN.portal-preview.$GEO.api.konghq.com/api/v2/developer/authenticate/saml/acs
Allow iframe embedding of the IdP’s sign-in screen:
- For example, Okta requires Trusted Origins. Add https://cloud.konghq.com as a Trusted Origin to allow login in the preview.

The following is an example Dev Portal SSO configuration. For the example, we will use the following values:

If you’re using OIDC for SSO, you’d configure your settings like the following:

Single Sign On URL (SSO URL): Also sometimes referred to as Initiate login URI, use to automatically initiate the SSO login flow.
- If you’re using a custom domain: https://www.example.com/login/sso
- If you aren’t using a custom domain: https://abc123456789.us.kongportals.com/login/sso
Sign-in redirect URIs:
- https://www.example.com/login
- https://abc123456789.us.kongportals.com/login
- https://abc123456789.portal-preview.us.api.konghq.com/login
Sign-out redirect URIs:
- https://www.example.com/login
- https://abc123456789.us.kongportals.com/login
- https://abc123456789.portal-preview.us.api.konghq.com/login

If you’re using SAML for SSO, you’d configure your settings like the following:

Single Sign On URL (SSO URL): Also sometimes referred to as Initiate login URI, used to automatically initiate the SSO login flow.
- If you’re using a custom domain: https://www.example.com/api/v2/developer/authenticate/saml/acs
- If you aren’t using a custom domain: https://abc123456789.us.kongportals.com/api/v2/developer/authenticate/saml/acs
- To automatically initiate the login flow when linking developers to the Dev Portal, use the dedicated path:
  - If you’re using a custom domain: https://www.example.com/login/sso
  - If you aren’t using a custom domain: https://abc123456789.us.kongportals.com/login/sso
Other Requestable SSO URLs (typically found in Advanced settings) for the Konnect Portal Editor:
- https://abc123456789.portal-preview.us.api.konghq.com/api/v2/developer/authenticate/saml/acs