Single Sign-On — OIDC
Operator-admin paste-in form for Entra ID / Okta / Google / Auth0 / any OIDC-compliant IdP. KURAL is the SP; your IdP is the source of truth for who can sign in.
Allowlist these on your IdP side
Before you submit the form below, the IdP admin must register KURAL as a relying-party with these URLs:
| Redirect URI | https://api.kural.tech/sso/oidc/callback |
| SCIM base URL | https://api.kural.tech/sso/scim/v2 |
| SCIM endpoint discovery | https://api.kural.tech/sso/scim/v2/ServiceProviderConfig |
| Required scopes | openid email profile |
How sign-in works once configured
- User visits
app.kural.tech/login?operator_id=OP-GREENTUBE(or KURAL auto-redirects after recognising the tenant cookie). - KURAL redirects to your IdP's authorize endpoint with state + nonce + PKCE-S256 challenge.
- User authenticates against your IdP (passwords / MFA / conditional access are entirely your IdP's responsibility).
- IdP redirects back to
https://api.kural.tech/sso/oidc/callbackwith an auth code. - KURAL exchanges the code for an id_token, verifies the JWT signature against your
jwks_url, validates issuer + audience + nonce, and JIT-provisions a User row if first sign-in. - Session cookie set (httpOnly, secure, SameSite=Lax, 12h TTL). Dashboard middleware looks up the session on every request — a SCIM-disabled user is locked out immediately.
SCIM 2.0 provisioning
Point your IdP's SCIM provisioning at https://api.kural.tech/sso/scim/v2/Users. Required headers: Authorization: Bearer <scim_bearer> + X-Operator-Id: OP-GREENTUBE. Generate the SCIM bearer below and paste it into your IdP's provisioning config.
KURAL supports a custom SCIM extension for role + sar_visible flags:urn:ietf:params:scim:schemas:extension:kural:2.0:User