Configure OpenID Connect Identity Provider
MariaDB Enterprise Manager can be integrated with external identity providers (like Okta, Keycloak, or Azure AD) using OpenID Connect (OIDC). This allows you to centralize user authentication, enforce your organization's security policies, and enable single sign-on (SSO).
Before You Begin
Before configuring OIDC in Enterprise Manager, you must first register Enterprise Manager as a client application within your Identity Provider's administrative console and obtain the necessary credentials.
Configure client settings in your identity provider
In your Identity Provider's client configuration screen, you will need to provide several URLs that point back to your MariaDB Enterprise Manager instance. These URLs tell the provider where to send the user after authentication and what origins are allowed to make requests.
While the exact field names may vary, you must configure the following endpoints, replacing <Your_Enterprise_Manager_Address> with the actual address of your instance:
Root / Home URL:
https://<Your_Enterprise_Manager_Address>:8090Valid Redirect URI:
https://<Your_Enterprise_Manager_Address>:8090/landingValid Post Logout Redirect URI:
https://<Your_Enterprise_Manager_Address>:8090/Web Origins:
https://<Your_Enterprise_Manager_Address>:8090
Obtain your credentials
Once the client application is saved in your Identity Provider, find and copy the following values:
Authentication URL: The provider's endpoint for authentication requests.
Client ID: The unique ID for the Enterprise Manager application.
Client Secret: The secret key for the Enterprise Manager application.
Enter your OIDC provider details
On the OpenID Connect (OIDC) configuration page, fill in the details from your provider:
Authentication URL: The full URL for your OIDC provider's authentication endpoint.
Authentication Flow: Choose the OIDC flow.
autois the default and recommended for most providers.Client ID: The Client ID you obtained from your provider.
Client Secret: The Client Secret you obtained from your provider.
OIDC Using Keycloak
Here is an example of what the filled-in fields might look like if you are using Keycloak.
Authentication URL: This is the URL to your specific Keycloak realm:
http://<keycloak_ip>:<port>/realms/<your_realm>Authentication Flow: The default
autoflow is recommended for Keycloak.Client ID: The
Client IDyou configured for the application within your Keycloak realm:enterprise-managerClient Secret: This secret is generated by Keycloak and found in the 'Credentials' tab of your client configuration in the Keycloak admin console:
12345ab-c67d-89e0-f123-456789abcdef
Mapping IDP Roles to Enterprise Manager Permissions
For Enterprise Manager to assign the correct permissions to a user logging in via OIDC, it expects the JWT token from your provider to contain a specific field (claim) named account.
The value of this account field must exactly match the name of a role that exists in MariaDB Enterprise Manager (for example, admin, viewer, or a custom role).
Example JWT payload showing the account claim
{
"account": "admin",
"aud": "admin",
"exp": 1760133641,
"iat": 1760104841,
"iss": "maxscale",
"jti": "0780a545-bb7a-404d-a384-64d04557801d",
"sub": "admin"
}
This token's account claim value "admin" would grant the user the admin role upon login.
Resetting the OIDC Configuration
To restore the default settings:
Click the Reset Configuration button.
In the confirmation dialog, click Reset.
A success message will confirm the reset.
This page is: Copyright © 2025 MariaDB. All rights reserved.
Last updated
Was this helpful?