Crossview supports any OIDC (OpenID Connect) or SAML 2.0 provider for Single Sign-On authentication.
-
Enable SSO in
config/config.yaml:sso: enabled: true
-
Configure your provider (OIDC or SAML) - see examples below
-
Restart your server
-
SSO login buttons will appear on the login page
Works with any OpenID Connect provider (Auth0, Okta, Azure AD, Google, Keycloak, etc.)
sso:
enabled: true
oidc:
enabled: true
issuer: https://your-provider.com/realms/your-realm # OIDC discovery endpoint
clientId: your-client-id
clientSecret: your-client-secret
callbackURL: http://localhost:3001/api/auth/oidc/callback
scope: openid profile email
# Optional: Custom attribute mappings
usernameAttribute: preferred_username
emailAttribute: email
firstNameAttribute: given_name
lastNameAttribute: family_name- Create an OIDC client in your provider
- Set the redirect URI to:
http://localhost:3001/api/auth/oidc/callback - Copy the client ID and secret to your config
- Use the issuer URL (usually ends with
/realms/...or/oauth2/...)
The implementation supports OIDC Discovery - if you provide the issuer URL, it will automatically discover the authorization, token, and userinfo endpoints.
Works with any SAML 2.0 provider (Okta, Azure AD, OneLogin, ADFS, etc.)
sso:
enabled: true
saml:
enabled: true
entryPoint: https://your-provider.com/saml/sso
issuer: your-application-issuer-name
callbackURL: http://localhost:3001/api/auth/saml/callback
cert: |-
-----BEGIN CERTIFICATE-----
Your SAML certificate here
-----END CERTIFICATE-----
# Optional: Custom attribute mappings
usernameAttribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
emailAttribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
firstNameAttribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
lastNameAttribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname- Create a SAML application in your provider
- Set the ACS (Assertion Consumer Service) URL to:
http://localhost:3001/api/auth/saml/callback - Set the Entity ID/Issuer to match your
saml.issuervalue - Download the SAML certificate and add it to
saml.cert - Configure attribute mappings if your provider uses different attribute names
oidc:
issuer: https://your-tenant.auth0.com/
clientId: your-auth0-client-id
clientSecret: your-auth0-client-secret
callbackURL: http://localhost:3001/api/auth/oidc/callbackoidc:
issuer: https://your-tenant.okta.com/oauth2/default
clientId: your-okta-client-id
clientSecret: your-okta-client-secret
callbackURL: http://localhost:3001/api/auth/oidc/callbackoidc:
issuer: https://login.microsoftonline.com/your-tenant-id/v2.0
clientId: your-azure-app-id
clientSecret: your-azure-app-secret
callbackURL: http://localhost:3001/api/auth/oidc/callbackoidc:
issuer: https://accounts.google.com
clientId: your-google-client-id
clientSecret: your-google-client-secret
callbackURL: http://localhost:3001/api/auth/oidc/callbackIf you want to use Keycloak, see keycloak/README.md for Keycloak-specific setup instructions. The code itself is provider-agnostic.
When a user logs in via SSO for the first time:
- A user account is automatically created in Crossview
- The first SSO user becomes an admin
- Subsequent SSO users are created as regular users
- User attributes (email, name) are synced from the SSO provider
- Check server logs for SSO initialization messages
- Verify your provider's endpoints are accessible
- Ensure redirect URIs match exactly (including http vs https)
- Check client secret is correct
- Verify certificate format for SAML (PEM format)