Azure AD, Okta, Google
These three providers all integrate through OIDC. The steps are the same as OIDC Single Sign-On; this page captures the provider-specific details that trip people up.
Microsoft Entra ID (Azure AD)
- Register an application in Entra ID and add a Web redirect URI for your gateway.
- Create a client secret and note the directory (tenant) ID and application (client) ID.
- Use the tenant issuer URL as the OIDC issuer, and add a groups claim to drive group mapping.
Okta
- Create an OIDC Web application and set the sign-in redirect URI to your gateway.
- Use your Okta org (or a custom authorization server) as the issuer.
- Add a groups claim to the token and map it to WebStream groups.
Google Workspace
- Create OAuth client credentials in the Google Cloud console and authorise your gateway redirect URI.
- Use Google's standard OIDC issuer and request the email and profile scopes.
- Because Google does not emit group claims directly, map access using WebStream groups or a directory attribute.
Tip
Whichever provider you use, finish by signing in as a test user and checking the result in the Entitlements viewer. It is the quickest way to confirm claim and group mapping are correct.