Generic OIDC Setup

This guide covers configuring SSO with any OpenID Connect (OIDC) compatible identity provider. Use this for Okta, Auth0, Google Workspace, Ping Identity, or any other OIDC provider.

Prerequisites

Before you begin, ensure you have:

• Admin access to your identity provider
• Organization owner or admin role in Securtea
• Your organization's email domain (e.g., yourcompany.com)

Step 1: Create Application in Your IdP

In your identity provider's admin console, create a new application:

Application Settings

Redirect URI

Add the following redirect URI to your application:

https://app.securtea.io/api/auth/sso/callback/oidc-{your-org-slug}

Replace {your-org-slug} with your Securtea organization's slug.

Example: If your org slug is acme-corp:

https://app.securtea.io/api/auth/sso/callback/oidc-acme-corp

Grant Types

Enable the following OAuth grant types:

• Authorization Code - Required
• Refresh Token - Optional but recommended

Scopes

Request the following OIDC scopes:

• openid - Required for OIDC
• email - Required for user identification
• profile - Required for user name/attributes

Step 2: Gather IdP Configuration

After creating the application, collect these values from your IdP:

Finding the Issuer URL

The issuer URL is your IdP's base URL for OIDC. Common formats:

You can verify by checking the discovery endpoint:

{issuer}/.well-known/openid-configuration

Step 3: Configure SSO in Securtea

Navigate to SSO Settings

1. Sign in to your Securtea dashboard
2. Go to Settings > Organization > SSO Authentication
3. Select the OIDC tab

Enter Configuration

Complete the form with the values from Step 2:

Email Domain

Enter your organization's email domain (e.g., yourcompany.com).

Users with this email domain will be redirected to your IdP for authentication.

Issuer URL

Enter the issuer URL from your identity provider.

Examples:

• Okta: https://acme-corp.okta.com
• Auth0: https://acme-corp.auth0.com/

Client ID

Paste the client ID from your IdP application settings.

Client Secret

Paste the client secret from your IdP application credentials.

Save Configuration

Click Configure OIDC to save your settings.

Step 4: Test the Connection

After saving:

1. Locate the Test Connection section
2. Click Test
3. Securtea will verify:
   • The issuer URL is reachable
   • OIDC discovery succeeds
   • Credentials are valid

Review the results:

• Success - Your configuration is working
• Failed - Check the error message and review your settings

Provider-Specific Notes

Okta

Application Type: Select "Web Application" when creating the app.

Issuer URL: Use your Okta domain without any path:

https://your-domain.okta.com

Scopes: Okta includes standard OIDC scopes by default.

Auth0

Application Type: Select "Regular Web Application".

Issuer URL: Include the trailing slash:

https://your-tenant.auth0.com/

Connections: Ensure your Auth0 application is connected to your user directory.

Google Workspace

Project Setup: Create a project in Google Cloud Console.

OAuth Consent Screen: Configure the consent screen before creating credentials.

Issuer URL: Always use:

https://accounts.google.com

Scopes: Add openid, email, and profile to your OAuth consent screen.

Ping Identity / PingOne

Application Type: OIDC Web App

Issuer URL: Format includes environment ID:

https://auth.pingone.com/{environmentId}/as

Keycloak

Client Type: OpenID Connect

Issuer URL: Includes realm:

https://your-keycloak-server/realms/{realm-name}

Attribute Mapping

OIDC providers send user attributes in the ID token. Securtea uses these standard claims:

Most providers include these claims by default. If not, configure your IdP to include them.

User Experience

First-Time SSO Login

1. User enters their email on Securtea login
2. Securtea detects the domain matches SSO configuration
3. User is redirected to your IdP
4. User authenticates with corporate credentials
5. IdP redirects back to Securtea with tokens
6. Securtea creates the user account (if new)
7. User is signed in and sees the dashboard

Returning Users

• Automatic redirect to IdP on email entry
• If IdP session exists, instant sign-in
• No password entry in Securtea

Troubleshooting

"Invalid Client" Error

Cause: Client ID or secret is wrong.

Fix:

1. Verify client ID in IdP matches Securtea
2. Generate a new client secret
3. Check for extra whitespace when copying

"Redirect URI Mismatch"

Cause: Callback URL doesn't match IdP configuration.

Fix:

1. Copy exact callback URL from Securtea
2. Update the redirect URI in your IdP
3. Include the full URL with protocol (https)

"Discovery Failed"

Cause: Issuer URL is incorrect or unreachable.

Fix:

1. Verify the issuer URL format for your provider
2. Test the discovery endpoint manually:

   curl {issuer}/.well-known/openid-configuration
   

3. Check for firewall blocks or network issues

"Invalid Token"

Cause: Token validation failed.

Fix:

1. Ensure clock sync between your IdP and systems
2. Check that token signing algorithms are supported
3. Verify the correct scopes are configured

Users Can't Sign In

Cause: Domain mismatch or user not in IdP.

Fix:

1. Verify email domain matches SSO configuration exactly
2. Ensure user exists in your identity provider
3. Check IdP application user assignments

Removing OIDC Configuration

To remove SSO and revert to standard authentication:

1. Go to Settings > Organization > SSO Authentication
2. Click Remove Configuration
3. Confirm the removal

What's Next?

• Test your SSO configuration
• Invite team members
• Run your first assessment