Set up identity delegation

Identity delegation lets a customer's users authenticate through their own identity provider (OIDC). This is a one-time setup per organization.

warning

This step usually requires a small meeting between our technical team and the customer technical team.

How it works

When we add a new identity provider, we proceed as follows:

SSO: We save a new identity provider for the customer (we call it organization) that would like to use their own identity management system (eg: orga).
Customer Identity System: The customer creates a new OIDC client (usually called stonal) on their identity system.

discovery endpoint: The identity provider standard OIDC discovery endpoint
client_id: The client ID associated with the client created on the customer identity system for our SSO
client_secret: The client secret of the client created on the customer identity system for our SSO

info

We only need one required claim to be present in the identity provider token response: the email claim in the payload.

redirect_uri: The redirect URI of the client created on the customer identity system that will redirect to our SSO.

At the end of the setup, we provide a final login link to the customer to use when they want their users to authenticate through their own SSO.

info

Customers typically embed this link into their own portal.

For the end-user login flow, see Authenticating users.