Skip to main content
CertForge supports single sign-on via OpenID Connect (OIDC). Once configured, users can log in with your organization’s identity provider instead of (or in addition to) a local password. Any standards-compliant OIDC provider works — Keycloak, Okta, Azure AD, Google Workspace, Auth0, and others.

Configure OIDC

  1. Go to Admin → Settings → SSO
  2. Toggle Enable SSO on
  3. Fill in the provider details:
  1. Save
After saving, the login page shows a Sign in with SSO button. Password-based login continues to work unless you disable it in the settings.

Provider-specific notes

Keycloak

  • Create a new client in the target realm with Client authentication enabled
  • Set the Valid redirect URIs to https://<your-certforge-domain>/oidc/callback
  • Copy the Client ID and the secret from the Credentials tab
  • The Issuer URL format is: https://<keycloak-host>/realms/<realm-name>

Okta

  • Create a new OIDC Web Application in the Okta Admin Console
  • Add https://<your-certforge-domain>/oidc/callback to the Sign-in redirect URIs
  • Copy the Client ID and Client secret
  • The Issuer URL is your Okta org URL: https://<org>.okta.com

Azure AD / Entra ID

  • Register a new app in Azure Portal → App registrations
  • Add https://<your-certforge-domain>/oidc/callback as a redirect URI (type: Web)
  • Create a client secret under Certificates & secrets
  • The Issuer URL is: https://login.microsoftonline.com/<tenant-id>/v2.0

Test SSO login

  1. Open the CertForge login page in a private/incognito window
  2. Click Sign in with SSO
  3. Complete authentication with your IdP
  4. Confirm you land on the CertForge dashboard
If the login fails, check the browser URL for an error parameter. Common issues:

User provisioning

Users are provisioned on first SSO login. The email address from the IdP token is used as the user’s identity. If the email domain matches the org’s configured email domain, the user is placed in that org automatically. New SSO users receive the viewer role by default. An org admin can promote them to operator or admin after their first login.

Disabling password login

To enforce SSO-only access, go to Admin → Settings → SSO and enable Require SSO. Users without an SSO login will be unable to access the org. Platform superuser accounts are not affected.