Authentication

Configuring other identity providers

Page last updated 22 February 2024

Any Identity Provider (IdP) which implements OpenID Connect (OIDC) and supports Proof Key for Code Exchange (PKCE) can be used in conjunction with Redgate's single sign-on (SSO).

To configure SSO:

  1. Visit ssoadmin.red-gate.com and progress to the screen allowing you to enter the details of your IdP.
  2. Add a new client (some IdPs call these applications) to your IdP. Ensure it's set to use the OIDC code flow.
  3. Enter your chosen or generated client_id in to ssoadmin.red-gate.com as well the IdP's URL.
  4. Use the Test Configuration button to attempt a login via your IdP, this does not yet activate SSO.
  5. If the test succeeds you are given the option to activate SSO with the provided configuration.


Redgate's IdP will make an OIDC request to your IdP with:

ParameterValue
client_idYou or your IdP choose a value then provide it to us via ssoadmin.red-gate.com
response_type"code"
redirect_uri"https://identityprovider.red-gate.com/singlesignon/signin-oidc"
scope"openid email"
login_hintThe email address the user entered
response_mode"form_post"

code_challenge

code_challenge_method

These will have values for PKCE avoiding the need for a client_secret


The domain of your IdP does not need to match the email domain you are configuring to use SSO.


Our IdP must be able to request the OIDC well known document from your IdP via /.well-known/openid-configuration and must be able to make requests to the URLs advertised within. No CORS headers are required.


Our IdP only requires an id_token from your IdP and only uses these claims:

ClaimRequired?Behavior
subYesThe user will login as the Redgate ID that has this value as its external ID, if one exists.
emailYes

Must have the same domain as the user entered.

If a Redgate ID is found using sub then its login email is updated if not already used by another Redgate ID.

Otherwise the user will be logged in as the Redgate ID with the matching login email if one exists, and that Redgate ID has its external ID set to the value of sub.

Otherwise a new Redgate ID will be created using the email and sub values.

email_verifiedNoIf present this must be "true".

Our IdP will never request a logout from your IdP.

Didn't find what you were looking for?

Product Articles

Tips and how-to guides for Redgate products

University

Easy to follow video courses

Community Forums

Ask, discuss, and solve questions about Redgate's tools

Events & Friends

Meet us at an event, get sponsored, and join our Friends of Redgate

Simple Talk

In-depth articles and opinion from Redgate's technical journal