.png){kind=logo}
Use an OAuth2 Domain to authenticate users with an OAuth2 / OpenID Connect provider such as Azure Entra ID, Okta, or Auth0. Like SAML2, OAuth2 domains support Admin Web Console login and attended Windows Agent login. They do not support unattended or headless agent authentication. For those scenarios, use a Certificate Users Domain or Local Users Domain.
Configure the Domain
-
In the Admin Web Console, navigate to Access > Domains and click New.
-
Set Domain Type to OAuth2 and complete the common domain options (Alias, Concurrency, User Limit). See Domains for descriptions of these fields.
-
Configure the OAuth2-specific settings:
OAuth2 Configuration
|
Setting |
Description |
|---|---|
|
Client ID |
The client ID of the application registered in your IdP. Provided by your IdP. |
|
Secret Client |
The client secret for the registered application. Provided by your IdP. |
|
Authorization URL |
The IdP's OAuth2 authorization endpoint. Provided by your IdP. |
|
Token URL |
The IdP's token exchange endpoint. Provided by your IdP. |
|
User Information URL |
The IdP's userinfo endpoint, used to retrieve user profile claims after authentication. Provided by your IdP. |
|
Scope |
The OAuth2 scopes to request. Typically includes |
|
Claims |
Additional claims to request, in JSON format. Use only if your IdP requires non-standard claims for group membership or user identity. |
|
Token Log |
Enable only for debugging. When enabled, sensitive token information is written to the server log. Disable in production. |
IdP-side Configuration (configure at your IdP)
|
Setting |
Description |
|---|---|
|
Sign-In redirect URI |
This value is |
User Provisioning & Identity Mapping
|
Setting |
Description |
|---|---|
|
Automatic Provisioning of Users |
When enabled, Signum automatically creates a user record the first time someone authenticates via the IdP, importing their email, name, and group membership. When disabled, users must be created manually before they can log in. |
|
|
The claim name your IdP uses for the user's email address. |
|
Name |
The claim name your IdP uses for the user's first name. |
|
Last Name |
The claim name your IdP uses for the user's last name. |
|
Groups |
The claim name your IdP uses for group membership. |
|
Use Groups |
When enabled, Signum reads the groups claim and uses it to determine the user's role assignment. Required if you want IdP group membership to map to Signum roles. |
|
Use email as User Identifier |
When enabled, Signum uses the email claim as the unique identifier for each user. Recommended for most organizations. This setting cannot be changed after the domain is created. |
|
Username |
The claim name your IdP uses for the username. Only available when Use email as User Identifier is disabled. |
Troubleshooting: If a user successfully authenticates with the IdP but sees the error "User found, but does not belong to any roles", the user exists in Signum but has not been assigned a Role. Assign a role to the user manually, or configure IdP group-to-role mapping so group members receive a role automatically on first login.
SSO login button
You can add a button to the Admin Web Console login page that takes users directly to your IdP. Navigate to Access > Domains, select the OAuth2 domain, and toggle Display SSO Login Button to on. See SAML2 Domain | SSO Login Button for details, as the behavior is identical.Direct IdP login URL
To send users directly to the IdP login page without visiting the Signum login page, use:
https://<your-signum-url>/login?domain=<domain-alias>