This identity provider follows the OpenID Connect protocol. This means that it can be used to connect to any external identity provider that supports the OpenID Connect protocol such as Authentik, Keycloak, Okta, etc.

What it supports

Any external identity provider that follows the OpenID Connect standard.

Common providers

Authentik, Keycloak, Okta, and other OIDC-compliant identity providers.

Configuration

You will need to configure the following common settings:
Client ID
string
required
The client identifier provided by your identity provider.
Client Secret
string
required
The client secret provided by your identity provider.
Authorization URL
string
required
The authorization endpoint URL from your identity provider.
Token URL
string
required
The token endpoint URL from your identity provider.

Token Configuration

Use JMESPath to select attributes from the claims token. See JMESPath for more information on how to use JMESPath. Determine how to access information from the claims token returned by the identity provider. This is used to map the user information from the identity provider to the user information in Pangolin.
Identifier Path
string
required
This must be unique for each user within an identity provider.Example: sub or user_id
Email Path
string
Path to the user’s email address in the claims token.Example: email
Name Path
string
Path to the user’s display name in the claims token.Example: name or preferred_username
Scopes
string
The scopes to request from the identity provider (not JMESPath; must be space-delimited strings).Default: openid profile email
Generally, openid profile email is sufficient for most use cases.