본문으로 건너뛰기
Admin Path

SSO + OIDC provisioning

Wire an external IdP (Keycloak · Okta · Azure AD) to D.Hub via OIDC and set up auto-provisioning on first login.

8 min

If SSO is set up correctly early in the adoption stage, adding users drops out of your day-to-day operations. This lesson walks through OIDC-based SSO integration and auto-provisioning in one pass.

Prep work — register the D.Hub client on the IdP

One end of the OIDC flow lives on the external IdP. Whether you're on Keycloak / Okta / Azure AD / Google Workspace, register D.Hub as an OIDC client on the IdP first. You'll need two values.

  • redirect URIhttps://<your-dhub-host>/auth/oidc/callback
  • Client ID + secret — Issued by the IdP

With these two in hand, move to the D.Hub side.

On the D.Hub side — authentication settings

In the user menu in portal's upper-right, go to Settings → Authentication & Access Control.

1. Register the OIDC client

  • Click + OIDC client and enter the client ID and secret from the IdP
  • Issuer URL — The IdP's OIDC discovery endpoint. Example: https://keycloak.example.com/realms/dhub
  • Scopeopenid profile email by default

Save, and the Test connection button activates. Click once to confirm the link works.

2. Enable SSO login

On the same screen, toggle SSO login on. Once enabled, the login screen shows a "Continue with <IdP name>" button.

Auto-provisioning — first login is account creation

With OIDC auto-provisioning on, D.Hub automatically creates an account the moment an IdP-authenticated user logs in for the first time. The admin no longer needs to click Add user each time.

In Settings, toggle Auto-provisioning on and set two things.

  • Default role — The default permission granted to auto-created users. Reader recommended — anything Writer or higher should come from group mapping (next lesson), which is safer.
  • Email mapping claimWhich IdP claim maps to the user's email. Defaults to email.

Save, and the moment a new IdP user logs in, they show up in D.Hub's user list automatically.

Self-check

  • The login screen shows a Continue with <IdP> button.
  • A new IdP user logs in → they're auto-added to D.Hub's user list.
  • Their default role is the intended value (Reader).
  • One local emergency admin account remains in place.

What you should be able to do after this lesson

  • The two ends of OIDC client registration — IdP side · D.Hub side
  • The meaning of auto-provisioningfirst login = account creation
  • The operational pattern of keeping a local emergency account

Next lesson

Define IdP-group ↔ portal-group mappings and grant permissions in bulk at the group level.