The following steps will integrate Zitadel with Pangolin SSO using OpenID Connect (OIDC).

Prerequisites

These instructions assume you have a working Zitadel organization and project setup already.

Creating an Application in Zitadel

You need to configure an application in Zitadel:
1

Create New Application

Open an existing project and in Applications click New.
2

Configure Application

Set the name to something memorable (eg. Pangolin).
3

Set Application Type

For Type of application choose Web.
4

Set Authentication Method

For Authentication Method choose Code.
5

Leave Redirect URIs Blank

Leave Redirect URIs blank for now. We’ll come back to this once the IdP is created.
When you click create, you’ll be shown the ClientSecret and ClientId. Make sure to save these somewhere secure - you won’t be able to see the Client Secret again.
1

Configure Token Settings

Click Token settings then change Auth Token Type to JWT and check the User Info inside ID Token box finally hit Save.
2

Note Endpoints

Open URLs and make note of:
  • Authorization Endpoint
  • Token Endpoint

Configuring Identity Providers in Pangolin

In Pangolin, go to “Identity Providers” and click “Add Indentity Provider”. Select the OAuth2/OIDC provider option. “Name” should be set to something memorable (eg. Zitadel). The “Provider Type” should be set to the default OAuth2/OIDC.

OAuth2/OIDC Configuration (Provider Credentials and Endpoints)

In the OAuth2/OIDC Configuration, you’ll need the following fields:
Client ID
string
required
The Client ID from your Zitadel application.
Client Secret
string
required
The Client Secret from your Zitadel application.
Authorization URL
string
required
Use the Authorization Endpoint from your Zitadel application.
Token URL
string
required
Use the Token Endpoint from your Zitadel application.

Token Configuration

You should leave all of the paths default. In the “Scopes” field, add openid profile email.
Set the “Identifier Path” to preferred_username for Zitadel integration.
When you’re done, click “Create Identity Provider”! Then, copy the Redirect URL in the “General” tab as you will now need this for your Zitadel application.

Returning to Zitadel

Lastly, you need to edit your Redirect Settings in your Zitadel application. Add the URL you copied to the Redirect URIs, then hit the + button and finally Save. Your configuration should now be complete. You’ll now need to add an external user] to Pangolin, or if you have “Auto Provision Users” enabled, you can now log in using Zitadel SSO.