Knowledge Base / Version 24 / System Admin Duties / Identity

How to Add an OpenID Connect Identity Provider (version 24)

updated 3 wk ago

By default, Canary uses Windows AD for user authentication; however, starting in v24, Canary also supports OAuth 2.0/OpenID Connect. This gives end users alternate options for signing into Canary's application tools (Canary Admin, Axiom, and Excel Add-in) while supporting SSO. Below are some examples of supported OpenID Connect providers:

Azure/Entra ID
Microsoft AD Federation
Okta/Auth0
Google
Customer-Defined OAuth Providers

To add an OpenID Connect provider, the following steps can be taken. In this example, we are adding an Azure AD provider. Parameter names may vary depending on the provider.

Open the Canary Admin and select the Identity tile.
Click ADD in the OPENID CONNECT PROVIDERS section.
Fill in the Provider Display Name, Provider URL, Client ID, and Client Secret as provided by the identity provider. The Provider Display Name does not need to match anything coming from the provider, but should be intuitive. In this example, we are just calling it Azure.

Use the OpenID Connect metadata document URL for the Provider URL. Remove "/.well-known/openid-configuration" from the end of the URL.

Use the Application ID for the Client ID.

A new client secret should be created for the Identity service within the IDP. Use the Value for the Client Secret.
Click ADD then APPLY.
Click AUTHENTICATE. If the information is correct, the following message should appear:
Navigate to the Messages tile and look for the following Info message at the top of the list. This will contain the claims that are needed to complete the OpenID Connect provider.
Navigate back to the Identity tile and EDIT the newly created OpenID Connect provider.
Fill in the User ID Claim, User Name Claim, and Group ID Claim using the information from the message then click APPLY.