Skip to main content
Scalefield Documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage Support
  1. Scalefield
  2. /
  3. Guides
  4. /
  5. Organization
  6. /
  7. Single Sign-On

Single Sign-On

If your organization uses OpenID Connect (OIDC) for authentication, users may access Scalefield through an OIDC-compliant single sign-on (SSO) provider such as Keycloak, Okta, or others.

OIDC Provider Configuration

To enable OIDC authentication with Scalefield, configure your OIDC provider as follows. Refer to your provider’s documentation for implementation details.

  • Define users and groups authorized to log in to Scalefield.
  • Ensure the OIDC provider exposes a configuration document at the standard well-known URI of the Authorization Server. See the OpenID Connect specification for details.
  • To manage user access via OIDC groups, define a custom group claim in the ID token. This claim must include all relevant groups.
    • Enable the memberof feature (if supported) so that group membership updates propagate to user claims.
  • Register Scalefield as a client application with the OIDC provider.
    • Set Scalefield’s callback URI as the redirect_uri for the client. This is where the provider sends ID tokens after authentication.

Here is a revised, more professional and concise version of your section titled “Configure an OIDC Provider in Harbor”, rewritten to match the tone and style of the previous revision:

Configure an OIDC Provider in Scalefield

Before proceeding, ensure your OIDC provider is configured as described in the previous section.

  1. Log in to Scalefield with an account with owner privileges for the target organization.

  2. Navigate to Organization ManagementSSO tab.

  3. Provide the required OIDC provider details:

    • Issuer URL: Endpoint URL of the OIDC provider.
    • Client ID: Identifier used to register Scalefield with the OIDC provider.
    • Client Secret: Secret associated with the Scalefield client application.
    • Group Claim Name (optional): Name of the custom group claim configured in your OIDC provider. This claim should include all groups to be used in Scalefield.
    • Associated Domains: List of email domains (portion after @) used to associate users with the organization during login.

  4. If your OIDC provider uses a self-signed or untrusted certificate, disable Verify Certificate.

  5. Confirm that the Web Origin and Redirect URI displayed match those configured in your OIDC provider.

  6. Click Submit to save the configuration.

Log In to Scalefield Using an OIDC Provider

Once an organization owner configures OIDC, the Continue with SSO button appears on the Scalefield login page.

Clicking this button redirects you to the configured OIDC provider for authentication. After successful authentication, you are redirected back to Scalefield, granted a user session and automatically added to the corresponding organization.

Mapping OIDC Groups to Teams

By default, users authenticating via OIDC are added to the organization without any permissions and cannot access resources.

To grant access, you can associate OIDC groups with teams in Scalefield:

  1. Go to the Teams tab within your organization.
  2. Edit an existing team or create a new one.
  3. Click Add Groups in the top-right corner.

Scalefield will suggest known OIDC groups based on previously logged-in users. You can also manually enter group names using the free-text field.

Once a group is added to a team, all users in that group automatically inherit the team’s permissions.

gdoc_arrow_left_alt Teams A product of CYBERTEC Creating a service gdoc_arrow_right_alt