Single Sign-On

Overview

Keycard supports any OIDC identity provider, including Okta and Azure Entra ID. Users are automatically provisioned Just-in-Time (JIT) on first login.

Prerequisites

• Admin access to your Keycard organization
• Admin access to your identity provider

Setup

Step 1: Configure your identity provider

Okta

1. In your Okta Admin Console, go to Applications > Create App Integration
2. Select OIDC - OpenID Connect and Web Application
3. Configure the application:
   • Sign-in redirect URIs: https://id.keycard.ai/oauth/2/redirect
4. Save the Client ID, Client Secret, and Issuer (found in your Okta domain, e.g., https://your-domain.okta.com)

Azure Entra ID

1. In the Azure Portal, go to Microsoft Entra ID > App registrations > New registration
2. Configure the application:
   • Name: Choose a name for your app
   • Supported account types: Accounts in this organizational directory only (Single tenant)
   • Redirect URI: Select Web and enter https://id.keycard.ai/oauth/2/redirect
3. After creation, go to Certificates & secrets and create a new client secret
4. Save the Application (client) ID, Client Secret, and Issuer (https://login.microsoftonline.com/{tenant-id}/v2.0)

Generic OIDC

Create an OAuth 2.0 / OIDC application in your identity provider with these settings:

• Application type: Web application
• Redirect URI: https://id.keycard.ai/oauth/2/redirect
• Grant types: Authorization Code

Save the Client ID, Client Secret, and Issuer URL.

Step 2: Link identity provider to Keycard

Configure an SSO connection from your organization’s settings page in the Keycard Console, accessible via the organization switcher at the top of the sidebar, or via the Keycard Terraform provider with your identity provider’s Issuer URL, Client ID, and Client Secret.

Step 3: Test authentication

1. Test login through your identity provider dashboard (see Login from Your Identity Provider for setup)
2. Confirm successful login and user creation

Your SSO is now configured. Users can login from your identity provider dashboard.

User Roles and Access

When users log in via SSO for the first time, they are automatically provisioned with the Organization Member role. This role provides no organization-level access by default—users must be explicitly granted access to specific zones.

To grant SSO users administrator access or assign them to zones, an Organization Administrator using a non-SSO account must update their roles after their first login. See Roles & Permissions for details on role management.

Tip

As noted in Emergency Access, maintain at least one email/password administrator account (not managed by SSO) for managing SSO user roles and emergency access scenarios.

Domain Verification (Optional)

Domain verification enables a seamless login experience at console.keycard.ai.

Without verification: Users access Keycard through your identity provider dashboard (Okta tiles, Azure My Apps)

With verification: Users enter their email at console.keycard.ai and are automatically redirected to your identity provider

To request verification, email help@keycard.ai with your organization name and the domain to verify. Keycard will verify you control the domain before enabling this feature.

After verification:

• Users with your verified email address domain must authenticate through your identity provider
• Entering an email with a verified domain automatically redirects to your identity provider

Note: The same domain cannot be reused across multiple organizations.

Emergency Access

For emergency access when your identity provider is unavailable, administrators can use this URL:

https://id.keycard.ai/openid/connect/login?tenant=personal&iss=https://id.keycard.ai&target_link_uri=https://console.keycard.ai

This enables non-SSO email/password accounts to authenticate.

Note

Maintain at least one email/password account (not managed by SSO) in your Keycard organization for emergency access if your identity provider becomes unavailable.

Login from Your Identity Provider

To enable users to login from your identity provider dashboard (Okta tiles, Azure My Apps), configure your identity provider with a login initiation URL.

URL format:

https://id.keycard.ai/openid/connect/login?iss=<issuer>&target_link_uri=https://console.keycard.ai&tenant=<org-id>

Parameters:

• iss: Your identity provider’s issuer URL
• target_link_uri: Where to redirect after login (e.g., https://console.keycard.ai or a specific page)
• tenant: Your Keycard organization ID (found in the Console under your organization settings page)

Okta

In your Okta application settings, set the Initiate login URI to:

https://id.keycard.ai/openid/connect/login?target_link_uri=https://console.keycard.ai&tenant=<org-id>

Okta automatically includes the iss parameter, so you only need to specify target_link_uri and tenant. Replace <org-id> with your Keycard organization ID.

Azure Entra ID

In your Azure application settings, set the Home page URL to:

https://id.keycard.ai/openid/connect/login?iss=https://login.microsoftonline.com/{tenant-id}/v2.0&target_link_uri=https://console.keycard.ai&tenant=<org-id>

Replace {tenant-id} with your Azure tenant ID and <org-id> with your Keycard organization ID.

Generic OIDC

Configure your identity provider’s application launch URL or home page URL to:

https://id.keycard.ai/openid/connect/login?iss=<your-issuer-url>&target_link_uri=https://console.keycard.ai&tenant=<org-id>

Replace <your-issuer-url> with your identity provider’s issuer URL and <org-id> with your Keycard organization ID.