Configure Generic SSO in Konnect
As an alternative to Kong Konnect’s native authentication, you can set up single sign-on (SSO) access to Konnect using OpenID Connect or SAML. This authentication method allows your users to log in to Kong Konnect using their IdP credentials, without needing a separate login. This topic covers configuring SSO for use with various identity providers.
Prerequisites
Add Konnect to your IdP and set up claims
- Konnect must be added to your IdP as an application
- Claims are set up in your IdP
Reference
Provider specific SAML configuration
The following section contains provider specific information and attribute mapping tables necessary for configuring SSO.
Advanced OIDC settings
You can configure custom IdP-specific behaviors in the Advanced Settings of the OIDC configuration form. The following options are available:
-
Scopes: Specify the list of scopes Konnect requests from the IdP. By default, Konnect requests the
openid
,email
, andprofile
scopes. Theopenid
scope is required and cannot be removed. -
Claim Mappings: Customize the mapping of required attributes to a different claim in the
id_token
Konnect receives from the IdP. By default, Konnect requires three attributes: Name, Email, and Groups. The values in these attributes are mapped as follows:-
name
: Used as the Konnect account’sfull_name
. -
email
: Used as the Konnect account’semail
. -
groups
: Used to map users to teams defined in the team mappings upon login.
-
Authentication issues with large numbers of groups
If users are assigned a very large number of groups (over 150 in most cases), the IdP may send the groups claim in a non-standard manner, causing authentication issues.
To work around this limitation in the IdP, we recommend using group filtering functions provided by the IdP for this purpose. Here are some quick reference guides for common IdPs:
You may need to contact the support team of your identity provider in order to learn how to filter groups emitted for the application.