Skip to main content
All CollectionsCanny IntegrationsAuthentication Tools
OpenID Connect (OIDC) SSO Integration
OpenID Connect (OIDC) SSO Integration

Manage your team’s SSO access to Canny using OpenID Connect (OIDC) SSO

Jacques Reulet avatar
Written by Jacques Reulet
Updated over a month ago

Overview

Canny’s OpenID Connect SSO integration allows your employees to sign into your Canny instance via any OIDC (OpenID Connect) provider.

Benefits

  • Use your existing OIDC tool (e.g., Auth0, Okta, etc.) for your users rather than requiring users to log in through different mechanisms across your sites.

  • Manage access securely and automatically.

  • Easy, one-click login access for your team.

How to set up OIDC

Before you begin

  1. Owner-level admin permissions in Canny are required to connect the integration.

  2. You will also likely need to be an admin in your OIDC provider.

  3. The OpenID Connect Single Sign-on integration is only available on the Business plan in Canny. Just start a chat or email sales@canny.io to get a quote!

Configuration Steps

  1. Generate a new set of application credentials (client ID and client secret) in your OpenID Connect provider. If you're using a third-party like Auth0 or Okta, this will typically be a Web Application or Single-Page Application. Note that this varies by provider, but it will likely look similar to the example below:

  2. Copy the values to your clipboard and paste them into the form on Canny in the OIDC settings page in Canny. Just paste them into the corresponding App Client ID and App Client Secret fields:

  3. Within your OpenID Connect provider, set the Callback URL to be https://canny.io/api/oidc/complete:

  4. Find the well-known endpoint for your provider. This is normally https://{your-domain}/.well-known/openid-configuratioand add this into the Discovery Doc Endpoint field in the OIDC settings page in Canny:

  5. Choose the default admin role for newly added users. This is their default permission level when they login to your Canny instance for the first time with your OIDC provider. This is selected via the dropdown on the form.

    Learn more about admin roles


    Your form should look something like the following now:

  6. Click Save.

    1. Any errors here will indicate that your Discovery Document URL or App Client ID or are incorrect.

    2. You may also have selected a configuration type that doesn't support the required OIDC flow in your provider.

    3. This action does not test the Client Secret.

  7. Once the configuration has been successfully saved, you should see two new buttons: Test and Disconnect.

  8. Clicking Test will open a new tab and redirect you to your OIDC provider's login page.

    1. Make sure to log in here with the same account as your current user. For example, if you're logged into Canny as admin@mycompany.com, log in to the authorization page as admin@mycompany.com also. If you don't do this, you might accidentally link two different accounts together.

    2. Any failures during this test likely indicate either that the Client Secret is wrong or that the email addresses in your OIDC provider are not marked as verified. To avoid account hijacking, we don't allow unverified users to log in to Canny via OIDC SSO.

  9. Once the tests have passed, you're good to go! You can now set individual boards to be authenticated by OIDC.

    1. To do this, go to the Boards tab in your Canny settings and set up a custom access board, then select OpenID Connect from the Collaborators dropdown:


      Learn more about custom access boards

    2. When a user now tries to navigate to https://yourdomain.canny.io/board-name, they'll see a prompt to 'Log in with OpenID Connect':

      Note: if you still have public boards, visiting https://yourdomain.canny.io won't show any prompt to 'Log in with OpenID Connect'. You'll have to direct end users to the custom access board URL first for them to see this login option.

  10. If all your boards are set to custom access, visiting https://yourdomain.canny.io will show a login button allowing users to authenticate via OIDC.

Things to note:

  • Provisioning Owner/Manager admin seats (or custom roles) may affect your billing. Please be cautious when provisioning users in bulk. Learn more

  • OIDC compatibility is available only on the Business plan. Just start a chat or email sales@canny.io to get a quote!

Related Articles:

Did this answer your question?