Guides → OAuth 2.0 and OpenID Connect SSO Configuration
Overview
Starting 2025.7.2, Incorta supports the integration with any standard OAuth 2.0/OpenID Connect (OIDC) identity provider, including Auth0, Azure Active Directory (also known as Microsoft Entra ID), Okta, and Google. This integration enables seamless single sign-on (SSO) for your Incorta users and allows them to authenticate to Incorta using their existing SSO credentials from your configured identity provider.
To complete the integration:
- Create an application for Incorta in your OAuth provider.
- Configure the Incorta cluster with the OAuth provider details.
Step 1: Register a web application in your OAuth provider
Regardless of the OAuth 2.0/OIDC identity provider that Incorta will integrate with, you need to create a regular web application/OIDC application. The steps to register or create an application vary according to your provider. Consult your provider’s documentation for the detailed steps.
The following are the general required configurations for the new application in your OAuth 2.0/OIDC identity provider.
| Property | Value | Notes |
|---|---|---|
| Application Type | Web Application | Must support OAuth 2.0/OIDC |
| Grant Type | Authorization Code | |
| Redirect URI | https://<incortaHost>/incorta/auth/oauth/<tenantName>/callback | Replace <incortaHost> with the DNS name or IP address and port number of your Incorta host, and <tenantName> with your tenant name. |
| Allowed Logout URL | https://<incortaHost>/incorta/authservice/logoutPage | Replace <incortaHost> with the DNS name or IP address and port number of your Incorta host. |
| Scopes | openid, email, and profile Example: scope=openid%20profile%20email | Ensures that the email and name are included in the ID token. |
After creating the application, create a Client Secret for it and record it once displayed.
Step 2: Configure the Incorta OAuth provider
To connect your tenant to the OAuth identity provider:
- In the Cluster Management Console (CMC), navigate to Clusters > <clusterName> > Tenants > <yourTenant> > Configure.
- In the Security tab, configure the following properties:
- In Authentication Type, select SSO.
- In Provider Type, select OAuth 2.0/OpenID Connect.
- In Provider configurations, enter the configurations for the OAuth 2.0/OIDC SSO provider.
- Save your changes.
Provider configuration
The following are the required provider configurations to be added in the CMC:
clientId=<yourAppClientID>clientSecret=<yourAppClientSecret>issuer=<issuerURL>userNameClaim=<IdTokenClaim>callbackUrl=<incortaCallbackUrl>
The following table describes each property:
| Property | Description |
|---|---|
| clientId | The Client ID of the OAuth application in your identity provider |
| clientSecret | The Client Secret that you have created for the OAuth application in your identity provider |
| issuer | The base URL of your identity provider, for example, https://example.us.auth0.com/ |
| userNameClaim | The ID token claim that maps to the Incorta login name. The default is sub. |
| callbackUrl | The Incorta callback URL. The default is: https://<incortaHost>/incorta/auth/oauth/<tenantName>/callback Ensure that you replace <incortaHost> with the DNS name or IP address and port number of your Incorta host, and <tenantName> with your tenant name. This property is optional; however, you will need to provide it only if your IdP redirect URL (callback URL) uses a custom domain that is different from the domain configured in Incorta. |