Integrating with OIDC identity providers

You can configure Aporeto to authenticate users against any OpenID Connect (OIDC) identity provider. Examples include Google, Okta, Azure Active Directory, Yahoo, Auth0, and many others.

Integration with an OIDC identity provider gives your users single sign-on access to:

  • Aporeto control plane
    • Aporeto web interface
    • apoctl
  • Enforcer hosts via secure shell (SSH)
  • Applications protected by Aporeto

Aporeto uses the OIDC authorization code flow with a confidential client, as described in the OIDC 1.0 specification.

You can use scopes to request basic information about the user from the identity provider. If the user consents to the requested scopes, the identity provider returns the information to Aporeto as claims in an ID token. The claims in the ID token allow you to control which users can gain access.

All identity providers should support the following list of scopes and claims.

  • profile scope requests the following claims:

    • name
    • family_name
    • given_name
    • middle_name
    • nickname
    • preferred_username
    • profile
    • picture
    • website
    • gender
    • birthdate
    • zoneinfo
    • locale
    • updated_at
  • email scope requests the following claims:

    • email
    • email_verified
  • address scope requests the address claim

  • phone scope requests the following claims:

    • phone_number
    • phone_number_verified

Each identity provider supports additional scopes and claims. Refer to the documentation of the identity provider to learn more. Request only scopes that return claims as string, array, or boolean values. Aporeto ignores other types of claim values.

The OIDC sequence requires a browser and is not suitable for authenticating applications.

Configuring an integration with an OIDC identity provider varies by resource. Refer to the section that corresponds to your use case.