Skip to main content
Odigos Central includes a bundled Keycloak instance as its identity provider. Keycloak is not exposed externally — the Central Backend acts as a reverse proxy, forwarding all authentication requests (under /realms/*) to Keycloak internally. This means you only need to expose the Central Backend and Central UI; no separate ingress or service is needed for Keycloak. Odigos Central supports two types of external SSO providers:
  • OIDC — for providers like Azure AD, Auth0, or any OpenID Connect-compatible IdP
  • SAML — for providers like Okta that use SAML 2.0
Both are configured through the Central UI — Odigos will create the required Keycloak configuration automatically.

Configuring the External URL

For SSO redirects to work, Keycloak and the Central Backend must know the browser-accessible URL of the Central Backend. This is set via the auth.externalUrl Helm value.
Environmentauth.externalUrl value
Local dev / port-forwardhttp://localhost:8081 (default)
Ingress with HTTPShttps://central.example.com
LoadBalancer servicehttps://central-lb.prod.internal
odigos pro central install \
  --set onPremToken=<token> \
  --set auth.externalUrl=https://central.example.com
When auth.externalUrl is empty (the default), it falls back to http://localhost:8081, which works for local development with odigos pro central ui port-forwarding.

OIDC Provider Setup (Azure AD, Auth0, etc.)

1

Create the OIDC Identity Provider in the Central UI

Open the Central UI sign-in page, choose your OIDC provider (e.g., Azure AD), and fill in:
  • Client ID — from your IdP application
  • Client Secret — from your IdP application
  • Discovery URL — your IdP’s OpenID Connect discovery endpoint
  • Tenant ID — (if required by the provider)
Odigos Central will create/update the required configuration in the bundled Keycloak for you. Avoid configuring the identity provider directly in Keycloak unless you’re troubleshooting.
2

Copy the Callback URL

After the provider is created successfully, the Central UI will display a Callback URL. Copy this URL and add it to your IdP application settings as the Redirect URI (or Callback URL).
The Login button is disabled until you copy the Callback URL. This ensures you configure your IdP correctly before attempting to sign in.
3

Sign in via your OIDC provider

Click the Login button. You will be redirected to your IdP’s sign-in page. After authenticating, you will be redirected back to Odigos Central and the first user account will be created as the admin.

SAML Provider Setup (Okta, etc.)

1

Create the SAML Identity Provider in the Central UI

Open the Central UI sign-in page, choose SAML, and fill in the IdP details from your SAML provider:
  • IdP Entity ID / Issuer
  • Single Sign-On Service URL
  • X.509 Signing Certificate
Odigos Central will create/update the required configuration in the bundled Keycloak for you. Avoid configuring the identity provider directly in Keycloak unless you’re troubleshooting.
2

Copy the Callback URL (ACS URL)

After the provider is created, the Central UI will display the Callback URL (ACS URL). Copy this URL and configure it in your SAML provider:
  • Single sign-on URL (ACS URL)
  • Audience URI (SP Entity ID) — use the same URL or the realm URL depending on your provider
The Login button is disabled until you copy the Callback URL. Make sure to add it to your SAML application before proceeding.
3

Sign in via your SAML provider

Click the Login with SAML button. You will be redirected to your IdP’s sign-in page. After authenticating, you will be redirected back to Odigos Central and the first user account will be created as the admin.

Production Ingress Configuration

When deploying behind an ingress, route traffic to the Central Backend and Central UI services only. Keycloak does not need its own ingress — the Central Backend handles all /realms/* requests internally. Example routing:
PathServicePort
/central-ui3000
/api/*, /graphql, /realms/*central-backend8081
If you’re looking to enable OIDC for the non-central Odigos UI (not Odigos Central), see the dedicated OIDC documentation: OIDC (OpenID Connect).