# Configuring SSO

OpenIAM supports SSO for connected applications in two ways:

* **Federation protocols** — SAML 2.0, OAuth 2.0, and OpenID Connect (OIDC). Use this for applications that support standard identity protocols.
* **Reverse proxy (rProxy)** — for legacy applications that do not support modern federation protocols. This option is described in a [separate section](/sso-to-legacy-applications.md) of the guide.

<table><thead><tr><th width="138">SSO Method</th><th>Best used when</th></tr></thead><tbody><tr><td><a href="/pages/255bd3cedf6e797054bc84945f96b68323f201bd">SAML 2.0</a></td><td>Enterprise SSO integrations between systems</td></tr><tr><td><a href="/pages/f037286aff2f5e2d723b6f70d110d30e0135ba2d#admin-ui-creating-an-oauth-client">OAuth 2.0</a></td><td>Delegated authorization and API access</td></tr><tr><td><a href="/pages/f037286aff2f5e2d723b6f70d110d30e0135ba2d#oidc-discovery">OIDC</a></td><td>Application needs user authentication on top of OAuth 2.0</td></tr><tr><td><a href="/pages/ca60d8abc07796cd89a290255bae788164e2cb0c">rProxy</a></td><td>Application does not support modern identity protocols</td></tr></tbody></table>

***

## Content provider

A **content provider** is an alias for a domain — for example, `idm.companyname.com`. It is the foundation of SSO configuration in OpenIAM because it binds together the authentication policy, branding, and URL protection rules for a given domain.

Organizations can have multiple content providers per instance of OpenIAM. This allows different authentication policies for different user populations — for example, employees authenticating via an external IdP and customers authenticating directly through OpenIAM.

### Creating a Content Provider

1. Open a browser and go to `https://[OPENIAM_INSTANCE_NAME]/webconsole`.
2. Log in with a **Super Security Admin** account.
3. Enter a **Content Provider Name** to identify it within the webconsole.
4. Select whether your instance supports **HTTP**, **HTTPS**, or both.
5. Select **Save**.

### Configuring a Content Provider

1. Log in to the Webconsole.
2. Go to **Access Control → Content Providers**.
3. Click the **Actions** button for the content provider you want to configure.

The following fields are available on the Edit Content Provider screen:

<table><thead><tr><th width="290.66668701171875">Field</th><th>Description</th></tr></thead><tbody><tr><td>Authentication Provider</td><td>The authentication provider (and its policy) applied at login for this domain. This setting determines whether OpenIAM acts as IdP or delegates to an external IdP.</td></tr><tr><td>Content Provider Name</td><td>A name to identify this content provider.</td></tr><tr><td>Description</td><td>Optional description.</td></tr><tr><td>URL</td><td>The landing page for this content provider.</td></tr><tr><td>Domain Pattern</td><td>The domain pattern of your application.</td></tr><tr><td>Authentication Cookie Name</td><td>Name of the cookie used to store the authentication token.</td></tr><tr><td>Authentication Cookie Domain</td><td>Domain of the authentication cookie.</td></tr><tr><td>UI Theme</td><td>Pre-configured stylesheet and branding to apply to this domain. Themes are managed under <strong>Administration → UI Themes</strong>.</td></tr><tr><td>Does this application support SSL?</td><td>Yes or No.</td></tr><tr><td>Is Authorization Disabled?</td><td>When enabled, users must be explicitly authorized to the content provider's resource to access it.</td></tr><tr><td>Show on Applications Page</td><td>When enabled, the content provider appears on the <strong>My Applications</strong> page and launch pad in the self-service portal.</td></tr><tr><td>Support Global Logout</td><td>When enabled, logging out of OpenIAM logs the user out of all active sessions. When disabled, only the OpenIAM session ends.</td></tr><tr><td>Postback URL Parameter Name</td><td>When redirecting from the login page, this parameter indicates where to redirect the user after successful authentication.</td></tr></tbody></table>

4. Select **Save**.

***

## Authentication Provider

An **authentication provider** defines how users authenticate for a given content provider or URI pattern. It is also how OpenIAM registers individual SSO integrations — each SAML SP, OAuth client, or OIDC client is configured as an authentication provider.

### Creating an Authentication Provider

1. Log in to the Webconsole.
2. Go to **Access Control → Authentication Providers**.
3. Select **Create New Provider**.
4. Select the provider type from the dropdown:

| Provider Type                               | Use for                                                       |
| ------------------------------------------- | ------------------------------------------------------------- |
| Add service to OpenIAM (IdP)                | Registering a SAML service provider — OpenIAM acts as the IdP |
| Add OpenIAM as Service Provider to your IdP | Federating OpenIAM into an external IdP such as Entra ID      |
| OAuth Client                                | Configuring an OAuth 2.0 or OIDC client                       |

### Linking an Authentication Provider to a Content Provider

After creating an authentication provider, link it to the relevant content provider so that users arriving at that domain are authenticated using the correct policy:

1. Go to **Access Control → Content Providers**.
2. Open the content provider you want to configure.
3. In the **Authentication Provider** field, select your provider from the dropdown.
4. Select **Save**.

***

## Generating a Key Pair (SAML)

SAML integrations require a public/private key pair. Use OpenSSL to generate one.

**Verify OpenSSL is installed:**

```bash
openssl version -a
```

If not installed, see [Install OpenSSL](https://docs.openiam.com/docs-2026.5.1/appendix/2-openssl).

**Generate the key pair:**

```bash
# Generate a PEM-encoded private key
openssl genrsa -out privkey.pem 1024

# Generate the public key
openssl rsa -in privkey.pem -pubout -outform DER -out pubkey.der

# Generate the private key in PKCS8 / DER format
openssl pkcs8 -topk8 -inform PEM -outform DER -in privkey.pem -out privkey.der -nocrypt

# Generate a self-signed X.509 certificate
openssl req -new -x509 -days 365 -key privkey.pem -out cert.pem
```

***

## Granting users access to an SSO application

Once an authentication provider is configured, grant users access by entitling a role or group to it.

1. Go to **Access Control → Role** and find the role you want to entitle.
2. Click the icon in the **Actions** column to open the role details.
3. Go to **Role Entitlements** in the side menu.

<figure><img src="/files/Y6u7tChqBxCeeNsqQKqd" alt=""><figcaption></figcaption></figure>

4. Right-click **Resource** and select **Add**.

<figure><img src="/files/b0Gueo4LiExN2jt48rTx" alt=""><figcaption></figcaption></figure>

5. From **Resource type**, select **Authentication provider**.
6. From the adjacent dropdown, select your authentication provider.

<figure><img src="/files/kXpI1AH4y6E9O4lw3k2d" alt=""><figcaption></figcaption></figure>

The role is now entitled. Users assigned to this role will see the application on their SSO launch pad in the self-service portal.

***

## Validating an SSO integration

To test any SSO configuration:

1. Log in to the OpenIAM SelfService portal with an account that has been assigned a role entitled to the service provider.
2. Go to the **SSO launch pad** (My Applications).
3. If the configuration is correct, clicking the application tile will sign you into the service provider automatically.

***

## Next Steps

* To configure Entra ID as the IdP with OpenIAM as the SP, see [Integrating OpenIAM as your SP](/federation/integrating-openiam-as-your-sp.md).
* To configure OpenIAM as the IdP for Entra ID, see [Integrating OpenIAM as your IdP](/federation/integrating-openiam-as-your-idp.md).
* To configure OAuth 2.0 or OIDC clients, see [OIDC and OAuth Integration](/federation/oidc-and-oauth-integration.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs-beta.openiam.com/federation/configuring-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.