Skip to main content

Add External Identity Provider

Add external OIDC-compliant IDP enabling users to sign in to Raidiam Connect with their preferred authentication provider, map groups, and request approval for Just‑In‑Time (JIT) provisioning.

Prerequisites

  • Organisation Admin role for the target organisation.

  • Administrative access to the external IDP (to obtain Client ID and configure redirect URI).

  • Ability to add TXT records to your organisation’s DNS.

Procedure

  1. Within Organisation View, select Directory > Servers > Your Server > IDP Configuration.

  2. Click New IDP Configuration and complete the form:

    • Display Name

    • Contact Emails (comma‑separated)

  3. Create a New Version of your IDP and add:

    • Client ID from your IDP.

      In your Identity Provider, create a client application for Raidiam Connect integration. It will be used to authenticate Raidiam Connect with your IDP/authorization server using the private_key_jwt client authentication method.

    • Authentication Policies (e.g., TWO_FACTOR)

    • Restricted Domains

      Restricted Domains are email domains that can only use the configured SSO Provider for authentication. Users with email addresses from these domains are required to authenticate through the external IDP.

    • Supported Domains

      Supported Domains are email domains that have the option to use the configured SSO Provider for authentication while retaining the option to use the Raidiam IDP.

    • Group Claim (OIDC claim that lists group IDs, e.g., groups)

  4. The following attributes are returned from the directory

    • Copy the generated TXT Record Value and add it to the DNS zone of your IDP to verify ownership.

    • Add the generated redirect_uri to the External IDP configuration - this is used to redirect the user back to Raidiam after login.

    • Download the public key shown and also include in your IDP configuration.

      This is the key used in private_key_jwt client authentication.

  5. Make sure your IDP/Authorization Server:

    • Allows the private_key_jwt client authentication method.

    • Allows the client to request the openid profile email scopes

    • Returns the profile and groups claims (or any other claim that stores group assignment) within ID tokens.

    • Allows the client to request the phone and email scope if you assigned Authentication Policies that forces the user to authenticate using OTP (MFA).

  6. Save the version – it enters the Pending Approval status.

  7. Notify a Super User to approve the version.

    After the Super User has approved the version and the Configuration was bound to a group, it can be used for SSO.

  8. Once your IDP version is approved, select the three dots next to it and change it to the Active status.

  9. Perform a test login via the external IDP and confirm a successful authentication.

Field Reference

This section explains each field involved in setting up your external IDP and why it’s required.

SSO Configuration

FieldPurpose
Display NameA human-readable label to identify the IDP in the UI during the login. This name is displayed on the login button when the email contains one of the associated domains
Contact EmailsOne or more email addresses (comma-separated) of the team responsible for managing the IDP. Used for operational alerts or domain control issues.
TXT Record ValueA DNS record value generated by the Directory to validate that your organisation owns the specified email domains. This must be added to your DNS to enable domain-restricted SSO - You won't be able to create a version while this is not done.
Redirect URIThe callback URL the external IDP uses to return users to the Directory after successful authentication. This must be whitelisted in the IDP’s application settings.
Public Key JWKSThe corresponding public key to the private key used to sign the token request by the directory. Used by the IDP to validate the request signature

SSO Configuration Version

FieldPurpose
Client IDThe identifier issued by your IDP for the Directory as a relying party. Used during the OAuth/OIDC flow to initiate authentication.
Authentication PoliciesOptional flags that request additional login requirements at the IDP (e.g. TWO_FACTOR, VERIFY). These help enforce stronger authentication at login. Some of them may be mandatory by the administrators, and versions may be refused if the mandatory policies are not included
Restricted DomainsEmail domains that must use this IDP for login. Users with these domains are blocked from using the default Raidiam login - with email and password.
Supported DomainsDomains allowed to use this IDP for login, but may also use Raidiam IDP if no restriction exists. Cannot include wildcards.
Group ClaimThe name of the OpenID Connect claim in the IDP’s ID Token that lists the user’s group memberships (e.g. groups, roles). For example, if the groups the user belongs to are listed under user_groups in the id_token returned, this is the group claim you should add. If the configured claim is not returned in the id_token, users will not be able to login.
Open Book IconTABLE OF CONTENT