{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"redocly_category":"Journeys","product":"Identity Management","type":"markdown"},"seo":{"title":"External IDP","description":"Everything about Mosaic Journeys, SDKs, and APIs","siteUrl":"https://developer.transmitsecurity.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"external-idp","__idx":0},"children":["External IDP"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["External IDP connectors let you integrate your existing identity providers with Mosaic via journeys. They are primarily used in ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/platform/migrate_to_mosaic"},"children":["Just-In-Time (JIT) migration"]}," scenarios, where users are authenticated against your existing IDP and provisioned in Mosaic as they log in. Social providers (Google, Meta, Apple) can also be used to enable social login in your journeys."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"supported-providers","__idx":1},"children":["Supported providers"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Mosaic provides pre-built connectors for the following identity providers. Available authentication methods vary by provider and are exposed as journey steps."]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Provider"},"children":["Provider"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"OIDC"},"children":["OIDC"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Password"},"children":["Password"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Email OTP"},"children":["Email OTP"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"SMS OTP"},"children":["SMS OTP"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"TOTP"},"children":["TOTP"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Okta"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_okta_oidc"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_okta_password"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_okta_totp"},"children":["✓"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Auth0"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_auth0_oidc"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_auth0_password"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["AWS Cognito"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_cognito_oidc"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_cognito_password"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_cognito_otp_generate"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_cognito_otp_generate"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Microsoft Entra ID"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_azuread_oidc"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_azure_ad_password"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Keycloak"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_keycloak_oidc"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_keycloak_password"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_keycloak_totp"},"children":["✓"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["OneLogin"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_onelogin_oidc"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_onelogin_password"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Ping Identity"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_pingone_oidc"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_pingone_password"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Google"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_google_oidc"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Meta (Facebook)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_meta_oidc"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Apple"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/authenticate_apple_oidc"},"children":["✓"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["–"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"add-connector","__idx":2},"children":["Add connector"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To add an external IDP connector:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In the Admin Portal, navigate to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Integration Hub"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["External IDP"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select your identity provider."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enable connector."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enter a name for the connector."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enable the authentication methods you want to use."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Complete the connector fields:"]}]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication methods"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The authentication methods to enable. Available methods vary by provider—see the provider sections below."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Domain / server / realm"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The provider-specific identifier for your IDP instance (for example, your Okta domain, Cognito user pool details, or Keycloak realm URL). See the provider sections below for details."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The OAuth2 client ID and secret Mosaic uses to authenticate against your IDP."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Custom endpoints"]}," (Advanced)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Override default IDP endpoints if you use a custom domain."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"ol","attributes":{"start":7},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Test"]}," to verify the connection."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Save"]},"."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"auth0","__idx":3},"children":["Auth0"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Mosaic supports OIDC and password authentication against Auth0."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"before-you-connect","__idx":4},"children":["Before you connect"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OIDC"]},": Add the redirect URI from your application's client settings to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Allowed Callback URLs"]}," in your Auth0 application."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Password"]},": Enable the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Password"]}," grant type in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Advanced Settings"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Grant Types"]},". Also set the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Default Directory"]}," to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Username-Password-Authentication"]}," in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API Authorization Settings"]},"—without this, the password grant fails."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"connector-fields","__idx":5},"children":["Connector fields"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Value"},"children":["Value"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Auth0 domain"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Your Auth0 tenant domain (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["your-tenant.us.auth0.com"]},")."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Client ID and secret from your Auth0 application."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"aws-cognito","__idx":6},"children":["AWS Cognito"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Mosaic supports OIDC, password, and OTP (email and SMS) authentication against AWS Cognito."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"before-you-connect-1","__idx":7},"children":["Before you connect"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In your Cognito app client settings, enable the authentication flows for the methods you plan to use:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OIDC"]},": Enable ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Authorization code grant"]}," in Hosted UI settings. Add the redirect URI from your application's client settings to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Allowed callback URLs"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Password"]},": Enable ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["ALLOW_USER_PASSWORD_AUTH"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OTP"]},": Enable ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["ALLOW_USER_AUTH"]},". In the user pool's sign-in settings, also enable email or SMS OTP under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Options for choice-based sign-in"]},"."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If you use OTP, ensure MFA is set to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Optional"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["No MFA"]},"—setting it to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Required"]}," is incompatible with OTP as a first-factor authentication method."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"connector-fields-1","__idx":8},"children":["Connector fields"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Value"},"children":["Value"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["AWS Region"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The AWS region where your User Pool is located."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Client ID and secret from your Cognito app client."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["User Pool ID"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The ID of your Cognito User Pool (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["eu-north-1_xxxxxx"]},")."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Domain"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Your Cognito Hosted UI domain (required for OIDC)."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"okta","__idx":9},"children":["Okta"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Mosaic supports OIDC, password, and TOTP authentication against Okta."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"before-you-connect-2","__idx":10},"children":["Before you connect"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In Okta, create a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Native"]}," application (ROPC requires the Native type, not Web). Enable the grant types for the methods you plan to use:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OIDC"]},": Enable the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authorization Code"]}," grant type. Add the redirect URI from your application's client settings as a sign-in redirect URI."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Password"]},": Enable the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Resource Owner Password"]}," grant type (under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Advanced"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Other grants"]},")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["TOTP"]},": Enable the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Interaction Code"]}," grant type (under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Advanced"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Other grants"]},") and turn on ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Embedded widget sign-in support"]}," in ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Account"]},"."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For each method, ensure the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authorization Server access policy"]}," (",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Security"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authorization Servers"]},") includes the corresponding grant type. Configure the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication policy"]}," assigned to the application to allow ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Password"]}," factor for password and OIDC, or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Possession factor"]}," for TOTP."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"connector-fields-2","__idx":11},"children":["Connector fields"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Value"},"children":["Value"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Okta domain"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Your Okta organization domain (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["your-org.okta.com"]},")."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authorization Server ID"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The ID of the Okta authorization server. Use ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["default"]}," for the default authorization server."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Client ID and secret from the Native application."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"microsoft-entra-id","__idx":12},"children":["Microsoft Entra ID"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Mosaic supports OIDC and password authentication against Microsoft Entra ID."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"before-you-connect-3","__idx":13},"children":["Before you connect"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In Azure Portal, create an ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["App registration"]}," under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Microsoft Entra ID"]},"."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OIDC"]},": Configure redirect URIs under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Platform configurations"]},". Add the redirect URI from your application's client settings."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Password"]},": Enable ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Allow public client flows"]}," under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authentication"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Advanced settings"]},". This is required for the ROPC flow—without it, password authentication fails. Note that MFA must not be enforced for users authenticating via ROPC, as the flow cannot handle interactive MFA challenges."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Create a client secret under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Certificates & secrets"]}," and note the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Tenant ID"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client ID"]}," from the application overview."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"connector-fields-3","__idx":14},"children":["Connector fields"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Value"},"children":["Value"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Tenant ID"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Your Azure Directory (tenant) ID."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Client ID and client secret from your app registration."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"keycloak","__idx":15},"children":["Keycloak"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Mosaic supports OIDC, password, and TOTP authentication against Keycloak."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"before-you-connect-4","__idx":16},"children":["Before you connect"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Create a confidential client in your Keycloak realm with ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client authentication"]}," enabled. Configure the authentication flows for the methods you plan to use:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OIDC"]},": Enable ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Standard flow"]},". Add the redirect URI from your application's client settings to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Valid redirect URIs"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Password"]},": Enable ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Direct access grants"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["TOTP"]},": Create a custom ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Direct Grant"]}," authentication flow containing ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Username Validation"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OTP"]}," executions (both Required), and bind it as the Direct grant flow. Users must have a TOTP authenticator enrolled before they can use this method."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"connector-fields-4","__idx":17},"children":["Connector fields"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Value"},"children":["Value"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Keycloak Server URL"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The base URL of your Keycloak realm (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://your-keycloak.com"]},")."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Realm"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The Keycloak realm name to authenticate against."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Client ID and secret from your Keycloak client."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"onelogin","__idx":18},"children":["OneLogin"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Mosaic supports OIDC and password authentication against OneLogin."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"before-you-connect-5","__idx":19},"children":["Before you connect"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Create an ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OpenID Connect"]}," application in your OneLogin admin console. Add the redirect URI from your application's client settings to the application's ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Redirect URIs"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Set the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Token Endpoint Authentication Method"]}," in the application's SSO settings based on the methods you plan to use:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OIDC"]},": Set to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Basic"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Password"]},": Set to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["POST"]},"."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["These settings conflict—only one can be active per application. If you need both OIDC and password authentication, create two separate OneLogin applications and configure one connector for each."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Ensure users are assigned to the application."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"connector-fields-5","__idx":20},"children":["Connector fields"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Value"},"children":["Value"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OneLogin subdomain"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Your OneLogin subdomain (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["your-company.onelogin.com"]},")."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Client ID and secret from the SSO tab of your OneLogin application."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"ping-identity","__idx":21},"children":["Ping Identity"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Mosaic supports OIDC and password authentication against Ping Identity (PingOne)."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"before-you-connect-6","__idx":22},"children":["Before you connect"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Create an OIDC application in your PingOne environment."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OIDC"]},": Add the redirect URI from your application's client settings to the application's redirect URIs."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Password"]},": Enable the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Resource Owner Password Credentials"]}," grant type for the application."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"connector-fields-6","__idx":23},"children":["Connector fields"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Value"},"children":["Value"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PingOne Environment ID"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The ID of your PingOne environment."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Region"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The PingOne region to use in authentication requests."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Client credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Client ID and secret from your PingOne application."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"google","__idx":24},"children":["Google"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Mosaic supports OIDC authentication with Google, enabling Sign in with Google in your journeys."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"before-you-connect-7","__idx":25},"children":["Before you connect"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://console.cloud.google.com/"},"children":["Google Cloud Console"]},", create an OAuth 2.0 client (type: ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Web application"]},"). Add the redirect URI from your application's client settings to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authorized redirect URIs"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"connector-fields-7","__idx":26},"children":["Connector fields"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Value"},"children":["Value"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OAuth 2.0 Client Credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Client ID and secret from your Google OAuth 2.0 client."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"meta","__idx":27},"children":["Meta"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Mosaic supports OIDC authentication with Meta, enabling social login with Facebook accounts in your journeys."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"before-you-connect-8","__idx":28},"children":["Before you connect"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://developers.facebook.com/"},"children":["Meta for Developers"]},", create an app and configure the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Facebook Login"]}," product. Add the redirect URI from your application's client settings to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Valid OAuth Redirect URIs"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"connector-fields-8","__idx":29},"children":["Connector fields"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Value"},"children":["Value"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OAuth 2.0 Client Credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["App ID and App Secret from your Meta application."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["API version"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["API version to use for the Meta integration ."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"apple","__idx":30},"children":["Apple"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Mosaic supports OIDC authentication with Apple, enabling Sign in with Apple in your journeys."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"before-you-connect-9","__idx":31},"children":["Before you connect"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://developer.apple.com/"},"children":["Apple Developer portal"]},", create a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Services ID"]}," for Sign in with Apple. Add the redirect URI from your application's client settings to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Return URLs"]},". You also need a private key to generate the client secret."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"connector-fields-9","__idx":32},"children":["Connector fields"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Value"},"children":["Value"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OAuth 2.0 Client Credentials"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Services ID (used as Client ID) and the generated client secret."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"next-steps","__idx":33},"children":["Next steps"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Once configured, use the connector in your migration journey. See ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/platform/migration_steps"},"children":["Set up JIT migration"]}," for a step-by-step guide."]}]},"headings":[{"value":"External IDP","id":"external-idp","depth":1},{"value":"Supported providers","id":"supported-providers","depth":2},{"value":"Add connector","id":"add-connector","depth":2},{"value":"Auth0","id":"auth0","depth":2},{"value":"Before you connect","id":"before-you-connect","depth":3},{"value":"Connector fields","id":"connector-fields","depth":3},{"value":"AWS Cognito","id":"aws-cognito","depth":2},{"value":"Before you connect","id":"before-you-connect-1","depth":3},{"value":"Connector fields","id":"connector-fields-1","depth":3},{"value":"Okta","id":"okta","depth":2},{"value":"Before you connect","id":"before-you-connect-2","depth":3},{"value":"Connector fields","id":"connector-fields-2","depth":3},{"value":"Microsoft Entra ID","id":"microsoft-entra-id","depth":2},{"value":"Before you connect","id":"before-you-connect-3","depth":3},{"value":"Connector fields","id":"connector-fields-3","depth":3},{"value":"Keycloak","id":"keycloak","depth":2},{"value":"Before you connect","id":"before-you-connect-4","depth":3},{"value":"Connector fields","id":"connector-fields-4","depth":3},{"value":"OneLogin","id":"onelogin","depth":2},{"value":"Before you connect","id":"before-you-connect-5","depth":3},{"value":"Connector fields","id":"connector-fields-5","depth":3},{"value":"Ping Identity","id":"ping-identity","depth":2},{"value":"Before you connect","id":"before-you-connect-6","depth":3},{"value":"Connector fields","id":"connector-fields-6","depth":3},{"value":"Google","id":"google","depth":2},{"value":"Before you connect","id":"before-you-connect-7","depth":3},{"value":"Connector fields","id":"connector-fields-7","depth":3},{"value":"Meta","id":"meta","depth":2},{"value":"Before you connect","id":"before-you-connect-8","depth":3},{"value":"Connector fields","id":"connector-fields-8","depth":3},{"value":"Apple","id":"apple","depth":2},{"value":"Before you connect","id":"before-you-connect-9","depth":3},{"value":"Connector fields","id":"connector-fields-9","depth":3},{"value":"Next steps","id":"next-steps","depth":2}],"frontmatter":{"markdown":{"toc":{"depth":2}},"seo":{"title":"External IDP"}},"lastModified":"2026-05-26T13:25:26.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/orchestration/external-connections/external_idp","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}