All Collections
Canny Integrations
Authentication Tools
OpenID Connect (OIDC) SSO Integration
OpenID Connect (OIDC) SSO Integration

Use your OpenID Connect (OIDC) SSO provider to enable employees to sign into Canny

Niall Dickin avatar
Written by Niall Dickin
Updated over a week ago

Canny’s OpenID Connect SSO integration allows your employees to sign into your Canny instance via any OIDC (OpenID Connect) provider.


Requirements

The OpenID Connect Single Sign-on integration is available to customers on our Business Plan. If you’re interested in adding OIDC SSO to your account, contact us.

To set up the integration, you must be logged in as admin in Canny.


Configuration Steps

1. Generate a new set of application credentials (client ID and client secret) in your OpenID Connect provider. If you're using a third-party like Auth0 or Okta this will typically be of the type Web Application or Single Page Application - it varies by provider.

2. Take these and input them into the form on Canny in the respective App Client ID and App Client Secret fields.

3. Within your OpenID Connect provider set the Callback URL to be https://canny.io/api/oidc/complete

4. Find out your well-known endpoint for your provider. This is normally https://{your-domain}/.well-known/openid-configuration. Input this into the Discovery Doc Endpoint field.

5. Finally choose the role you want new users to be authenticated as. This means when they login to your Canny instance for the first time with your OIDC provider they will be given the role of X, e.g. Owner. This is selected via the dropdown on the form.

Your form should look something like the following now:

6. Click Save. Address any issues you get. Note: any issues here will indicate that your Discovery Document URL or App Client ID or are incorrect. Alternatively, you have selected a configuration type that doesn't support the required OIDC flow in your provider. The Client Secret is not tested at this point.

7. Once the config has successfully saved you should see two new buttons: Test and Disconnect.

8. Clicking Test will open a new tab and redirect you to your OIDC provider's login page. Make sure to login here with the same account your current user e.g. if you're logged into Canny as admin@mycompany.com, log in to the authorisation page as admin@mycompany.com also. If you don't do this you might accidentally link two different accounts together.

Note: any failures during this test likely indicate either that the Client Secret is wrong or that the email addresses in your OIDC provider are not marked as verified. We don't allow unverified users to log in to Canny via OIDC SSO so as to avoid account hijacking.

9. Once tests have passed you're good to go! You can now set individual boards to be authenticated by OIDC. To do this go to Settings > Boards > [Select your board] > Privacy
and select Private then OpenID Connect from the Collaborators dropdown. When a user now tries to navigate to https://yourdomain.canny.io/board-name they'll see a prompt to 'Log in with OpenID Connect'.


Note: if you still have public boards, visiting https://yourdomain.canny.io won't show any prompt to 'Log in with OpenID Connect'. You'll have to direct end users to the private board URL first for them to see this login option.

10. If all your boards are set to private visiting https://yourdomain.canny.io will show a login button allowing users to authenticate via OIDC.

Did this answer your question?