OIDC Integration
VSAY Terminal supports OpenID Connect (OIDC) for Single Sign-On (SSO), allowing your team to authenticate using your organization's identity provider.
Overview
OIDC integration provides:
- Single Sign-On: Users authenticate with your existing identity provider
- Centralized User Management: Manage users in one place
- Enhanced Security: Leverage your IdP's security features (MFA, conditional access)
- Automatic Provisioning: Users are automatically created on first login
Supported Identity Providers
VSAY Terminal works with any OIDC-compliant identity provider:
| Provider | Status |
|---|---|
| Okta | Fully Supported |
| Azure AD / Entra ID | Fully Supported |
| Google Workspace | Fully Supported |
| Auth0 | Fully Supported |
| Keycloak | Fully Supported |
| OneLogin | Fully Supported |
| PingIdentity | Fully Supported |
| Custom OIDC | Supported (any compliant provider) |
Setting Up OIDC
Prerequisites
Before configuring OIDC, you'll need:
- Admin access to your identity provider
- Admin access to your VSAY Terminal organization
- Your VSAY Terminal callback URL:
https://your-domain.vsayterminal.com/auth/callback
Step 1: Create an Application in Your IdP
Okta
- Log into your Okta admin console
- Go to Applications → Create App Integration
- Select OIDC - OpenID Connect
- Select Web Application
- Configure:
- Name: VSAY Terminal
- Sign-in redirect URI:
https://your-domain.vsayterminal.com/auth/callback - Sign-out redirect URI:
https://your-domain.vsayterminal.com
- Save and note the Client ID and Client Secret
Azure AD / Entra ID
- Go to Azure Portal → Azure Active Directory
- Navigate to App registrations → New registration
- Configure:
- Name: VSAY Terminal
- Redirect URI: Web -
https://your-domain.vsayterminal.com/auth/callback
- After creation, go to Certificates & secrets
- Create a new Client secret
- Note the Application (client) ID and Client secret
Google Workspace
- Go to Google Cloud Console
- Create a new project or select existing
- Navigate to APIs & Services → Credentials
- Click Create Credentials → OAuth client ID
- Configure:
- Application type: Web application
- Authorized redirect URIs:
https://your-domain.vsayterminal.com/auth/callback
- Note the Client ID and Client Secret
Step 2: Configure VSAY Terminal
- Go to Organization Settings → Authentication
- Click "Configure OIDC"
- Enter your IdP details:
Provider Name: Your Identity Provider
Client ID: [from Step 1]
Client Secret: [from Step 1]
Issuer URL: https://your-idp.com (e.g., https://your-org.okta.com)
- Configure claim mappings (usually auto-detected):
| VSAY Field | OIDC Claim |
|---|---|
email | |
| Name | name or preferred_username |
| Groups | groups (optional) |
- Click "Test Connection" to verify
- Save the configuration
Step 3: Enable SSO
- Still in Authentication settings
- Toggle "Enable OIDC Login"
- Choose login behavior:
- SSO Only: Users can only log in via OIDC
- SSO + Password: Users can choose either method
- Save changes
warning
Before enabling "SSO Only", ensure all users can authenticate via your IdP. Consider keeping password login as a backup initially.
User Provisioning
Automatic Provisioning
When a user logs in via OIDC for the first time:
- VSAY Terminal creates a new user account
- User details are populated from OIDC claims
- Default role is assigned (configurable)
- User gains access based on their role
Configure default provisioning:
- Go to Organization Settings → Authentication → Provisioning
- Set Default Role for new OIDC users
- Optionally enable Group Mapping (see below)
Group-Based Role Mapping
Map IdP groups to VSAY Terminal roles:
- Ensure your IdP sends group claims
- Go to Authentication → Group Mapping
- Create mappings:
| IdP Group | VSAY Terminal Role |
|---|---|
vsay-admins | Organization Admin |
vsay-developers | Developer |
engineering | Machine Admin |
- Users will automatically receive roles based on their group membership
Just-in-Time (JIT) Provisioning
Enable JIT provisioning for automatic account creation:
- Go to Authentication → Provisioning
- Enable "Auto-create users on first login"
- Configure:
- Default role for new users
- Required email domain (optional)
- Auto-assign to machines/groups (optional)
Advanced Configuration
Custom Claims
If your IdP uses non-standard claim names:
- Go to Authentication → Claim Mapping
- Map your custom claims:
email_claim: custom_email
name_claim: display_name
groups_claim: member_of
Token Settings
Configure token handling:
- Access Token Lifetime: How long tokens are valid
- Refresh Token: Enable/disable token refresh
- Session Duration: Max session length
Multi-IdP Support
VSAY Terminal supports multiple identity providers:
- Configure primary IdP as above
- Click "Add Identity Provider"
- Configure additional IdP
- Users can choose their IdP at login
Security Considerations
Required Security Features
We recommend enabling these in your IdP:
- Multi-Factor Authentication (MFA): Require MFA for all users
- Conditional Access: Restrict access by location, device, etc.
- Session Policies: Set appropriate session timeouts
PKCE Support
VSAY Terminal uses PKCE (Proof Key for Code Exchange) for enhanced security:
- Prevents authorization code interception attacks
- Required for public clients
- Automatically enabled
Token Validation
All OIDC tokens are validated:
- Signature verification against IdP public keys
- Issuer validation
- Audience validation
- Expiration checking
Troubleshooting
Common Issues
"Invalid redirect URI"
- Ensure the callback URL in your IdP exactly matches VSAY Terminal's URL
- Check for trailing slashes
"User not found"
- Verify email claim is being sent
- Check claim mapping configuration
"Invalid client credentials"
- Verify Client ID and Secret are correct
- Ensure the secret hasn't expired
"Groups not syncing"
- Verify your IdP is sending group claims
- Check group claim name mapping
- Ensure groups are included in the token (not just userinfo)
Testing OIDC
Use the built-in test tool:
- Go to Authentication → OIDC Configuration
- Click "Test Connection"
- Review the test results for any issues