RealTheory Resources

RealTheory supports user log in through Single Sign-On (SSO) for the following identity providers who support OAuth 2.0 with OpenID Connect (OIDC):

Prerequisites

To set up SSO, you must have the following:

An SSO identity provider that supports the OAuth 2.0 with OpenID Connect (OIDC)
For more information, see:
Okta: See https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type
Microsoft Entra: See https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc
Google Identity Platform (IDP): See https://cloud.google.com/identity-platform/docs/web/oidc
A RealTheory integration with your selected SSO identity provider, set up as an OIDC Web App and with the Authorization Code grant type. The OAuth Callback URL can be found in Settings > Identity in the RealTheory console
,Okta Example: See https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/#set-up-your-app, where Proof Key for Code Exchange (PKCE) must not be enabled
Either the sys_admin role or the sso_admin role assigned to your user account
Certain information about your identity provider, such as your client ID and secret, the authorization URL, and the access token URL

RealTheory supports user log in through Single Sign-On (SSO) for the following identity providers who support OAuth 2.0 with OpenID Connect (OIDC):

To set up SSO, you must have the following:

An SSO identity provider that supports the OAuth 2.0 with OpenID Connect (OIDC)
For more information, see:
Okta: See https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type
Microsoft Entra: See https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc
Google Identity Platform (IDP): See https://cloud.google.com/identity-platform/docs/web/oidc
A RealTheory integration with your selected SSO identity provider, set up as an OIDC Web App and with the Authorization Code grant type. The OAuth Callback URL can be found in Settings > Identity in the RealTheory console
,Okta Example: See https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/#set-up-your-app, where Proof Key for Code Exchange (PKCE) must not be enabled
Either the sys_admin role or the sso_admin role assigned to your user account
Certain information about your identity provider, such as your client ID and secret, the authorization URL, and the access token URL

Field	Description	Required
Name	Name for your SSO - OAuth 2.0 profile	Yes
Description	Comments that will help you remember the purpose and scope of the configuration	No
OAuth Authorize URL	The identity provider endpoint where users initiate the authorization process	Yes
OAuth Access Token URL	The identity provider endpoint where RealTheory sends a request to exchange the authorization code for an access token	Yes
Client ID	Client ID issued by your identity provider	Yes
Client Secret	Client secret associated with your client ID	Yes

Identity Provider	Select
Okta	openid (selected by default)
Microsoft Entra	openid (selected by default)
Google Identity Platform (IDP)	openid (selected by default) and email

Field	Description
Process Group Claims	Enables processing of group claims from your identity provider to manage user group assignments
Group Claim Name	The name of the group claim in your identity provider token e.g., groups
OIDC Admin Group Name	The name of the admin group claim in your identity provider token e.g., admins
Create groups from group claims	When enabled, automatically creates RealTheory groups that match the values in the group claim
Create group memberships from group claims	When enabled, automatically assigns users to groups in RealTheory that match the group claim values

Field	Description
Process Role Claims	Enables processing of role claims from your identity provider to manage user role assignments
Role Claim Name	The name of the role claim in your identity provider token e.g., roles
Create role assignments from role claims	When enabled, users are assigned roles in RealTheory based on the values returned in the role claim