Most organizations that use Iru Identity as their identity provider have people
sign in directly with a passkey or the Iru Access app. Connect an OIDC provider
when you use Iru Identity as an authentication layer into the Iru platform
rather than your primary identity provider, or to ease a migration onto Iru
Identity. See Federated Authentication.
You need administrator access to your Iru tenant, and administrator access to
your OIDC identity provider, to complete this connection.
Before you begin
Register Iru as an application with your provider
In your OIDC provider, create an application (client) for Iru - typically a
web or confidential client that uses the authorization code flow. You
will get a client ID and a client secret to enter into Iru. The exact
steps live in your provider’s console; follow its current documentation.
Add Iru's redirect URI
Your provider needs to know where to send the person back after they sign in.
Copy the redirect URI that Iru shows for this connection and add it to the
list of allowed redirect URIs on your provider’s application.
Confirm the scopes you need
Iru requests the standard OpenID Connect scopes -
openid, profile, and
email - so your provider returns the person’s basic profile and email. Make
sure your provider is configured to release the claim you plan to match on.Make sure your people exist in Iru
Sign-in through a connection resolves to an existing Iru user. Add or import
your people first - see Importing users
or Directory Sync.
Connect an OIDC provider
Enter your client details
Provide the client ID and client secret from the application you
registered with your provider, along with the details Iru needs to reach your
provider’s sign-in endpoints.
Choose the user identifier claim
Tell Iru which claim in your provider’s response identifies the person -
for example, the subject, email, or preferred username claim. This is the
value Iru reads to recognize who signed in.
Set user matching
Choose which Iru user value to match that claim against - UPN, username,
external ID, or a custom attribute. Pick a value that is unique and stable
for every person. See user matching.
Choose what the connection is used for
Select the connection’s use cases - end-user sign-in, device
enrollment, or both.
Restrict to your domains
If you want only people in specific email domains to use this connection,
enable domain restrictions and add those domains.
How sign-in works once connected
When someone signs in, Iru hands the sign-in off to your OIDC provider. The provider authenticates the person and returns identity claims, Iru matches them to an Iru user, and the session continues - then Iru evaluates the app’s authentication policy before granting access. For the full picture, see System architecture.Related
Federated Authentication
Use cases, domain restrictions, and user matching, explained in one place.
Custom SAML
Connect an identity provider that uses SAML instead of OpenID Connect.
Google Workspace
Connect Google Workspace with its ready-made template.
Microsoft Entra ID
Connect Microsoft Entra ID with its ready-made template.