Authentication configuration

Reference of authentication and log-in options for Ketryx

Ketryx is highly configurable allowing users to log-in through various methods including third party providers. It is possible to connect any OAuth provider. Certain providers have a built-in integration.

Supported configuration options include email, google mail, github, okta, and customOAuth. Third party providers need to be configured in combiation with a custom email domain for this organization (managed by Ketryx Support).

Built-in authentication

Email & Password - Whether to allow users to log in to Ketryx with an Email & Password (or magic link).

Okta single sign-on

Allow and configure authentication via Okta.

For authentication via Okta, create a new App Integration in your Okta instance and configure it in the following way:

Use "OIDC - OpenID Connect" authentication with the application type "Web Application"
For Grant type, choose "Client acting on behalf of a user" via an "Authorization Code"
Set the Sign-in redirect URL to https://app.ketryx.com/api/auth/callback/okta
Set the Sign-out redirect URL to https://app.ketryx.com
Make sure that all desired members of the organization are assigned to the app in Okta
Configure the authentication provider in Ketryx using Okta's client ID, client secret, and issuer URL, as in the example below

Configure Okta authentication as shown in the example below (change the Ketryx part to your own Okta URL, and substitute the client ID and client secret with your own)

{
  "clientId": "Your Okta Client ID goes here",
  "clientSecret": "Your Okta Client Secret goes here",
  "issuer": "Your Okta Issuer URL goes here, for example https://ketryx.okta.com (change the Ketryx part) "
}

Custom OAuth provider

Allow and configure authentication via any OAuth provider by specifying the provider's ID, name, type, and options.

Configure Microsoft Entra ID (previously Microsoft Azure Active Directory) OAuth2.0 authentication as shown in the example below (change the Ketryx part to your own Azure URL, and substitute the client ID and client secret with your own)

{
  "allowDangerousEmailAccountLinking": true,
  "authorization": {
    "params": {
      "scope": "openid profile email User.Read"
    }
  },
  "id": "Your ID goes here",
  "name": "Azure Active Directory",
  "options": {
    "clientId": "Your client ID goes here",
    "clientSecret": "Your client secret goes here"
  },
  "profileFieldMapping": {
    "id": "sub"
  },
  "token": "Your token goes here",
  "type": "oauth",
  "wellKnown": "https://login.microsoftonline.com/TENANT_ID/v2.0/.well-known/openid-configuration?appid= Your client ID goes here"
}

Configure authentication via OIDC as shown in the example below

{
  "allowDangerousEmailAccountLinking": true,
  "clientId": "CLIENT_ID",
  "clientSecret": "CLIENT_SECRET",
  "issuer": "https://ORGNAME.[identity provider].com"
}

Notes:

If email-based authentication is disabled and users face issues with SSO, please reach out to the Ketryx Client Operations or Support departments for us to reset the email property to true .
By default, Ketryx supports login via email, Google and GitHub. If you need this disabled please get in touch with the Ketryx team.

PreviousAdvanced Settings NextAssistant

Last updated 12 hours ago

Was this helpful?