Skip to content

Generic SAML & OIDC setup

Don’t see your identity provider in the other guides? Any standards-compliant SAML 2.0 or OIDC provider works. This page maps KloudMate’s fields to the generic terms your IdP uses, so you can wire up the two sides regardless of vendor wording.

Copy KloudMate’s values from the Service provider details card before you start — the host depends on your environment, so don’t assume api.kloudmate.com.

OIDC needs a confidential client (one that can hold a secret) and a discovery endpoint.

A web/confidential application (authorization-code flow) with this redirect URI:

https://api.kloudmate.com/sso/oidc
KloudMate fieldYour IdP calls itNotes
Discovery URLOpenID configuration / well-known endpointMust be a public https:// URL ending in /.well-known/openid-configuration
Client IDClient ID / Application ID
Client secretClient secretFrom a confidential client
ScopesScopesDefaults to openid email profile; keep email so KloudMate gets the address

KloudMate reads the user’s email from the email claim in the ID token. Make sure the email scope is granted and your IdP includes that claim. If your IdP only returns email under a different claim, configure it to emit a standard email claim.

SAML can be configured two ways in KloudMate: paste the IdP’s metadata XML (preferred), or enter the three core values by hand.

A SAML 2.0 application / relying party with:

Your IdP’s fieldValue to use
ACS / Reply / Recipient / Destination URLhttps://api.kloudmate.com/sso/saml
Audience / SP Entity IDthe entityID in KloudMate’s downloaded SP metadata
NameID formatemailAddress

Many IdPs accept KloudMate’s SP metadata directly — download kloudmate-sp-metadata.xml from the Service provider details card and import it to fill the ACS URL and entity ID automatically.

If your IdP can’t export metadata, choose Enter manually in the connection dialog and map:

KloudMate fieldYour IdP calls it
SSO URL (entry point)SAML SSO / sign-in endpoint (HTTP-Redirect or HTTP-POST)
Issuer (IdP entity ID)IdP entity ID / issuer
IdP signing certificate (X.509)Token-signing / X.509 certificate (PEM, including the BEGIN/END CERTIFICATE lines)

KloudMate reads the email from the NameID (emailAddress format) or from an attribute named email. If your IdP sends email or name under non-standard attribute names, expand the optional attribute mapping in the connection dialog and set:

  • Email attribute — the assertion attribute that holds the email
  • Name attribute — the assertion attribute that holds the display name

Self-hosted IdPs such as Keycloak work the same way, with one hard requirement:

For Keycloak specifically:

  • OIDC discovery URL: https://<keycloak-host>/realms/<realm>/.well-known/openid-configuration
  • SAML metadata: https://<keycloak-host>/realms/<realm>/protocol/saml/descriptor

Create a confidential OIDC client (or a SAML client) in your realm, set the redirect URI / ACS URL to KloudMate’s values, and make sure the realm issues the user’s email.

  1. Verify your company domain.
  2. Choose a provisioning mode.
  3. Test sign-in with a work email on a verified domain via Sign in with SSO.

Hitting an error? See TroubleshootingInvalidOidcConnection / UnsafeUrl usually means the discovery URL isn’t publicly reachable over HTTPS.