Configure Generic SSO

1. In Kong Konnect, click Organization, and then Auth Settings.

2. Click Configure provider for OIDC.

3. Paste the issuer URI from your IdP in the Issuer URI box.

4. Paste the client ID from your IdP in the Client ID box.

5. Paste the client secret from your IdP in the Client Secret box.

6. In the Organization Login Path box, enter a unique string. For example: examplepath.

   Konnect uses this string to generate a custom login URL for your organization.

   Requirements:

   • The path must be unique across all Konnect organizations. If your desired path is already taken, you must to choose another one.
   • The path can be any alphanumeric string.
   • The path does not require a slash (/).

7. After clicking Save, close the configuration dialog and click Enable on your OIDC provider.

The Konnect SAML integration allows you to configure various identity providers. While technically any SAML-compliant provider can be used, the following have been verified:

• Okta
• Azure Active Directory
• Oracle Identity Cloud Service
• Keycloak

1. Log in to Kong Konnect, click Organization, and then select Auth Settings.

2. Click Configure provider under SAML.

3. Enter the Metadata URL from your IdP in the IDP Metadata URL field.

4. In the Login Path field, enter the unique string that matches the one in Okta. For example: examplepath.

   Konnect uses this string to generate a custom login URL for your organization.

   Requirements:

   • The path must be unique across all Konnect organizations.
   • The path can be any alphanumeric string.
   • The path does not require a slash (/).

5. After clicking Save, configure the SP Entity ID and Login URL on your SAML IdP.

Important: Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after successfully testing IdP authentication.

You can test the SSO configuration by navigating to the login URI based on the organization login path you set earlier. For example: https://cloud.konghq.com/login/examplepath, where examplepath is the unique login path string set in the steps above.

If your configuration is set up correctly, you will see the IdP sign-in page.

You can now manage your organization’s user permissions entirely from the IdP application.

Important: Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after successfully testing IdP authentication.

Test the SSO configuration by navigating to the login URI based on the organization login path you set earlier. For example: https://cloud.konghq.com/login/examplepath, where examplepath is the unique login path string set in the previous steps.

If the configuration is correct, you will see the IdP sign-in page. You can now manage your organization’s user permissions entirely from the IdP application.

• When adding an enterprise application, note that OIDC uses app registration.
• Remove the namespace from the claim name in Azure. You can do this by checking Customize on the group claim.
• Using groups maps to the Group ID by default.

Attribute mapping for Azure configuration:

• When configuring the Name ID format in Oracle Cloud, make sure to set it to transient.
• You will need to manually upload the signing certificate from sp_metadata_url.
  • cert.pem must use the X509Certificate value for signing.

Attribute mapping for Oracle Cloud configuration:

• You will need to manually upload the signing certificate from sp_metadata_url.
  • cert.pem must use the X509Certificate value for signing.
• Go to Realm Settings in Keycloak to locate your metadata endpoint. The sp_metadata_url for Konnect will be:http://<keycloak-url>/realms/konnect/protocol/saml/descriptor

Attribute mapping for KeyCloak configuration: