OIDC Single Sign-On

OpenID Connect (OIDC) lets users sign in with your enterprise identity provider. WebStream redirects users to the provider, validates the returned token, and maps claims to a WebStream user and groups.

What you need from your provider

Configure OIDC

  1. Register an application with your identity provider and note the client ID, secret, and issuer URL.
  2. Set the organization's authentication mode to OIDC — see Authentication Modes.
  3. Enter the issuer, client ID, secret, and redirect URI.
  4. Map claims to the WebStream username, email, and group fields.
  5. Test a sign-in and confirm the user resolves to the expected groups with the Entitlements viewer.

Group mapping

Map a provider group or role claim to WebStream groups so access follows your directory. A user's workspaces and policies then flow from the groups their claims place them in.

Tip

Specific provider walkthroughs for Azure AD/Entra, Okta, and Google Workspace are in Azure AD, Okta, Google.