OIDC Single Sign-On
OpenID Connect (OIDC) lets users sign in with your enterprise identity provider. WebStream redirects users to the provider, validates the returned token, and maps claims to a WebStream user and groups.
What you need from your provider
- Issuer / discovery URL for the provider.
- Client ID and client secret for an application registration.
- Redirect URI registered with the provider, pointing back to your WebStream gateway.
- Claims that carry the username, email, and group membership.
Configure OIDC
- Register an application with your identity provider and note the client ID, secret, and issuer URL.
- Set the organization's authentication mode to OIDC — see Authentication Modes.
- Enter the issuer, client ID, secret, and redirect URI.
- Map claims to the WebStream username, email, and group fields.
- Test a sign-in and confirm the user resolves to the expected groups with the Entitlements viewer.
Group mapping
Map a provider group or role claim to WebStream groups so access follows your directory. A user's workspaces and policies then flow from the groups their claims place them in.
Tip
Specific provider walkthroughs for Azure AD/Entra, Okta, and Google Workspace are in Azure AD, Okta, Google.