Knowledge Base
  • Login
Font Size:

OpenID Connect Identity Provider Plugin

Administrator Configuration

  • Callback URL: This is the URL required by the OpenID Service (Google, Keycloak, etc.) to redirect back to Joget after the user logs in at the OpenID’s login page.
  • Configuration Name: This is used as a friendly name to display to users on their profile page.
  • Issuer Configuration:
    • Automatic: if the OpenID Service supports the OpenID Connect Discovery standard.
    • Manual: Additional configuration required after selecting this option.
  • Issuer URL: The URL of the OpenID Service.
  • Authorization Endpoint: Available with Manual Issuer Configuration. The OpenID Service’s authorization URL.
  • Token Endpoint: Available with Manual Issuer Configuration. The token endpoint URL of the issuer to obtain the token info.
  • UserInfo Endpoint: Available with Manual Issuer Configuration. The user info endpoint URL of the issuer to obtain user info.
  • JSON Web Key Set Endpoint: Available with Manual Issuer Configuration. The JSON Web Key Set URL of the issuer to obtain JSON Web Token claims.
  • Logout Endpoint: Available with Manual Issuer Configuration. The logout URL of the issuer to call when a Joget user logs out.
  • Response Type: The response type(s) required by the issuer.
  • Client ID: The ID of your client provided by the issuer.
  • Client Secret: The secret of your client provided by the issuer.
  • Scope: The user info scope(s) your client is requesting from the issuer.
  • User Provisioning: Whether to provision a new user if no existing user is found.
  • Editable User Profile: Available with User Provisioning enabled. Whether the provisioned user is able to edit their own profile.
  • Automatic Linking: Whether to automatically link an identity provider's user to an existing user when an email matches.
  • Login Button: The icon and text shown on the login screen for this identity provider method.

Administrator Configuration

  1. Click on the + Add new Identity Provider button, then choose OpenID Connect Identity Provider Plugin.

  2. Fill in the required fields with the appropriate information:

Please refer to the table in the Configuration section above, or hover your cursor over the  icon next to each label to get more information.
For more information on the behaviour of the Automatic Linking and User Provisioning options, you may refer to Identity Provider (IdP).

  1. Once the configuration has been completed, click the Submit button.

  2. Ensure the IdP feature is enabled system-wide by checking the checkbox  next to the title.

User Configuration

Once the administrator has configured the OpenID Connect Plugin and enabled the IdP feature system-wide, users will be able to see a new section in their profile page.

To link an IdP user account to a Joget user account, there are a few ways:

  1. Manually link through the user profile

  2. Automatically link during login

  3. Automatically create a new user account during login

Option 1: Manually link through the user profile

  1. Go to your user profile, find the Identity Provider section.

If you do not see the section, please ensure the administrator has enabled the IdP feature and has at least one IdP plugin configured.

  1. Click on the Link button next to the IdP of your choice, and you should be redirected to the OpenID provider’s login or consent page.

  2. After completing the login/consent pages on the IdP, you should be redirected back to Joget.

  3. Check that the identity provider has been linked by going to your user profile.

  4. The button should now say Unlink. This means that the IdP has been linked to your account.

Option 2: Automatically link during login

  1. The following prerequisites must be fulfilled to make sure that automatic linking works:

    • The administrator has enabled the Automatic Linking option in the plugin’s configuration.

    • Your Joget account’s email address is the same as your IdP account’s email address.

    • No other Joget accounts share the same email address as your Joget account.

  1. In the login page, click on the IdP’s login button, and you should be redirected to the OpenID provider’s login or consent page.

  2. After completing the login/consent pages on the IdP, you should be redirected back to Joget.

  3. Check that the identity provider has been linked by going to your user profile.

  4. The button should now say Unlink. This means that the IdP has been linked to your account.

Option 3: Automatically create a new user account during login

  1. The following prerequisite must be fulfilled to make sure that user provisioning works:

The administrator has enabled the User Provisioning option in the plugin’s configuration.

  1. In the login page, click on the IdP’s login button, and you should be redirected to the OpenID provider’s login or consent page.

  2. After completing the login/consent pages on the IdP, you should be redirected back to Joget.

  3. Your Joget account should now be linked to the IdP.

You might not be able to access the user profile page if the administrator has not enabled the Editable User Profile option for the plugin.
To check whether your Joget account has been linked, you may log out and log back in with the same IdP.

Single Logout (SLO)

Single Logout (SLO) allows you to log out of your IdP provider when a logout action is performed in Joget. All prerequisites below must be satisfied for SLO to work as intended:

  1. The current Joget session must be logged in with the same IdP you intend to log out with.

  2. Depending on the IdP’s implementation, the same browser session must be used.

Note
As all IdP implementations are different, we cannot guarantee that your IdP can be logged out on different browser sessions.

With these requirements satisfied, clicking the logout button in Joget will trigger a logout request to be sent from the Joget server to the OpenID Provider.

Created by Debanraj Last modified by Debanraj on May 23, 2025
Previous Identity Providers and Multi Factor Authentication NextPasskeys Identity Provider Plugin