> ## Documentation Index
> Fetch the complete documentation index at: https://tyk.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Single Sign On (SS0) with OpenID Connect (OIDC)
> Learn how to integrate external services with Tyk API Gateway. Discover how to use middleware plugins, webhooks, and service discovery to extend your API functionality and connect with third-party systems.
## Overview
Single Sign-On (SSO) with OpenID Connect (OIDC) allows Tyk Dashboard or Developer Portal users to authenticate using their existing identity provider credentials, creating a seamless login experience. This integration leverages Tyk Identity Broker (TIB), which acts as a bridge between Tyk and various identity providers such as Auth0, Keycloak, and other OIDC-compatible systems.
To activate SSO on the Dashboard or Developer portal, there’s no requirement to install TIB separately; it is integrated into the Dashboard and Developer Portal. You have two configurations for SSO within the dashboard:
1. **Using Embedded TIB**: No need to install it separately.
2. **Using External TIB**: If you are using a previous version of the Dashboard or Portal, you can still use SSO with TIB installed as a separate application.
### Basic Implementation Steps
To set up SSO with OIDC in Tyk:
1. Access the Identity Manager under System Management in the Tyk Dashboard
2. Create a profile for your preferred IDP
3. Get the `client_id` + `secret` that are defined on your IDP
4. Set the `Callback URL` generated by Tyk on your IDP
5. Provide your SSO profile in Tyk with the `Discover URL (well known endpoint)`
6. Visit the Login URL after saving your profile to initialize the login
7. More Docs for the flow can be found on our [GitHub TIB repo README](https://github.com/TykTechnologies/tyk-identity-broker) and our [3rd Party integration docs](/5.12/api-management/external-service-integration)
{/* TODO: Add some info and update grid */}
## SSO with Azure Active Directory (AD)
This is an end-to-end worked example of how you can use [AzureAD](https://www.microsoft.com/en-gb/security/business/identity-access/microsoft-entra-id) and our [Tyk Identity Broker (TIB)](https://tyk.io/docs/concepts/tyk-components/identity-broker/) to log in to your Dashboard.
This guide assumes the following:
You already have authorized access to Tyk's Dashboard. If you haven't, get the authorization key by following this [guide](/5.12/api-management/user-management#using-dashboard-api).
### Configuration at Azure
1. Access your Azure Portal and navigate to the Azure Active Directory page.
2. Go to app registrations and create or access an application you want to use for Dashboard access.
* If you are creating an application, give it a name and register it
3. Add a redirect URL to your application as callback to TIB in your Azure application:
* In your app, either via the Authentication menu or the redirect URL shortcut navigate to and add the redirect to TIB in the Web category i.e. `http://localhost:3000/auth/{PROFILE-NAME-IN-TIB}/openid-connect/callback`.
4. Go to Overview and add a secret in Client Credentials. Don't forget to copy the secret value, not the secretID.
Check Microsoft's [documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) for more detail.
### Configuration at Dashbaord
1. Log in to your dashboard and select Identity Management, located under System Management
2. Create a profile and select OpenID Connect as the provider type
3. Under Profile Configuration, paste the secret value, clientID, and well-known endpoint URL from the Azure site.
* Profile Configuation may look something like this:
* The well-known endpoint URL is created by Azure and can be located by selecting Endpoints on their site
### Test your Azure Login:
From the browser call `http://localhost:3000/auth/{PROFILE-NAME-IN-TIB}/openid-connect`
* If it's working you'll be redirected to Azures's web page and asked for your username and password.
* If it's working you'll be redirected to Azures's web page and asked for your username and password.
### Enhancements
Once it's working you can also add more enhancements such as automatic user group mapping from your AzureAD security groups or users groups to Tyk Dashboards groups.
#### User group mapping
Group mapping can be managed from Advanced Settings section of the Profile Configuration screen.
As illustrated in the screen below the following information must be provided:
* Identity provider role
* Tyk User Group: This can be created from the User Groups section of the dashboard (reference a link to a page in tyk docs here to show how to create a user group). When creating your User Group, one can also select and adjust the permissions for each group.
For more information on how to set and change user permissions, head to this [guide](/5.12/api-management/user-management#using-dashboard-ui-1)
You can select the scopes you would like your request to include. By default, Tyk will provide the connectid scope, anything additional must be requested.
### OpenID Connect Example
For debugging purposes, you can find an example we created using the OpenID Connect playground.
1. Add the redirect url found on the OpenID Connect site to the redirect urls found under the Web section
2. Copy the OpenID Connect endpoint from the Azure site
3. On the OpenID Connect site select Edit. In the Server Template dropdown menu select the Custom option and paste the endpoint in the Discovery Document URL.
4. Press the Use Discovery Document button and this will autofill Authorization Token Endpoint, Token Endpoint, and Token Keys Endpoint
5. Copy and paste the Client ID and Client Secret from the Azure site to your ConnectID. Scope is autofilled for you and save the configuration.
6. Press start at the bottom of the Request window and if done correctly, this should prompt you to sign in to your Azure account.
7. You should then be redirected back to OpenID Connect where you'll be shown the Exchange Code. This needs to be turned into an access token. Press the exchange button under the request and then press Next.
8. We can then verify this by pressing the verify button. We can also view the information or scope of what is being returned by heading to jwt.io and viewing the payload: data there.
9. We are given an object with key, value pairs and we can pass in the key ie. name to our Custom User Group and the value of to our Identity Provider Role in our Tyk dashboard as shown in the example above.
To try this yourself, we have included the link: [https://openidconnect.net/](https://openidconnect.net/)
## SSO with Okta
This is an end-to-end worked example of how you can use [Okta](https://www.okta.com/) and the Tyk Identity Broker to log into your Dashboard.
This guide assumes the following:
* You already have authorized access to Tyk's Dashboard. If you haven't, [get the authorization key by following this doc](/5.12/api-management/user-management#using-dashboard-api).
* For simplicity, you are running TIB locally on port 3010
* You are able to edit TIB's configuration file.
### Configuration at Okta
1. Create a developer account on the [Okta Developer site](https://developer.okta.com/).
You'll get a domain such as `https://.okta.com/.well-known/openid-configuration`
2. Login and create a Web Application as follows:
* Under `Application`, click `Add Application`
* Choose `Web`
* Change the name of the app
* Tick `Authorization Code`
* Click `Done`
Note: These instruction are for the new Okta's `Developer Console`, for the `Classic UI` instructions are slightly different.
3. Add a callback to TIB in your application:
* Under `General`, click `Edit` and update the `Login redirect URIs` field with the endpoint on TIB `http://localhost:3010/auth/{PROFILE-NAME-IN-TIB}/openid-connect/callback`.
* `{PROFILE-NAME-IN-TIB}` - this can be any string you choose, as long as you use the same one for the profile in TIB.
4. Permissions to login via Okta:
Under the `Assignments` tab, make sure group assignments is set to *everyone* (for now, you will change this later!).
5. This is how it should look like after step #4
### Configuration at TIB
6. Set the profile in `profiles.json` as follows:
* Copy from your Okta client the `cliend ID` to `ProviderConfig.UseProviders[].key`
* Copy from your Okta client the `Client secret` to `ProviderConfig.UseProviders[].secret`
* Add Okta's discovery url `"https://.okta.com/.well-known/openid-configuration"` to `ProviderConfig.UseProviders[].DiscoverURL`
Example of a `profiles.json` file:
```{.json} theme={null}
[{
"ActionType": "GenerateOrLoginUserProfile",
"ID": "{PROFILE-NAME-IN-TIB}",
"OrgID": "5a54a74550200d0001975584",
"IdentityHandlerConfig": {
"DashboardCredential": "{DASHBOARD-SECRET}"
},
"ProviderConfig": {
"CallbackBaseURL": "http://{TIB-DOMAIN}:{TIB-PORT}",
"FailureRedirect": "http://{DASHBOARD-DOMAIN}:{DASHBOARD-PORT}/?fail=true",
"UseProviders": [
{
"Key": "{Okta-App-Client-ID}",
"Secret": "{Okta-App-Client-SECRET}",
"Scopes": ["openid", "email"],
"DiscoverURL": "https://.okta.com/.well-known/openid-configuration",
"Name": "openid-connect"
}
]
},
"ProviderName": "SocialProvider",
"ReturnURL": "http://{DASHBOARD-DOMAIN}:{DASHBOARD-PORT}/tap",
"Type": "redirect"
}]
```
7. Start TIB by running the binary (`profiles.json` is in the same CWD)
See [Install TIB](/5.12/api-management/external-service-integration) for detailed instructions on how to install TIB
8. Test that it works:
From the broswer call `http://localhost:3010/auth/{PROFILE-NAME-IN-TIB}/openid-connect`
* If it's working you'll be redirected to Okta's web page and will be asked to enter your Okta user name and password.
* If you were successfully authenticated by Okta then you'll be redirected to the Tyk Dashboard and login into it without going through the login page. Job's done!
9. If you need to update your profile then you can use TIB's REST API as follows:
```{.copyWrapper} theme={null}
curl http://{TIB-DOMAIN}:{TIB-PORT}/api/profiles/{PROFILE-NAME-IN-TIB} -H "Authorization: {MY-SECRET}" -H "Content-type: application/json" -X PUT --data "@./my-new-dashboard-profile.json" | prettyjson
```
* POST and DELETE calls apply as normal
* You can post a few profiles to TIB.
* See [TIB REST API](/5.12/tyk-identity-broker/tib-rest-api) for more details.
### Understanding the flow
1. The initial call to the endpoint on TIB was redirected to Okta
2. Okta identified the user
3. Okta redirected the call back to TIB endpoint (according to the callback you set up on the client earlier in step 3) and from TIB
4. TIB, via REST API call to the dashboard, created a nonce and a special session attached to it.
5. TIB redirected the call to the dashboard to a special endpoint `/tap` ( it was defined on the profile under `ReturnURL`) with the nonce that was created.
6. The Dashboard on the `/tap` endpoint finds the session that is attached to the `nonce`, login the user and redirect to the dashboard first page
### Enabling MFA and SSO
Once it's working you can also add two more enhancements - SSO and MFA
#### SSO login into the Dashboard via a login page
You will need to:
* set up a web server with a login page and a form for `user` and `password`
* Update `tyk_analytics.conf` to redirect logins to that url
Explicit details are in [steps 6-7](/5.12/api-management/single-sign-on-ldap#create-login-page)
#### Multi-Factor-Authentication (MFA) Support
MFA works out-of-the-box in Tyk since luckily Okta supports it. you would need to add it to the configuration of the account holder. Under `Security --> Multifactor --> Factor types` you can choose the types you want. For instance I chose Google Authenticator.
1. While trying to login to the Dashboard, Okta enforced the MFA and asked me to use the Google Authenticator:
2. I had to download the Google Authenticator and identify with the generated code
3. I successfully authenticated with Google Authenticator
### Common Error
If you get a `400 Bad Request` it means the profile name in the login endpoint is not identical to the profile name in the callback that you set up on Okta's app:
* On Okta's app - `Login redirect URIs:` `http://localhost:3010/auth/{PROFILE-NAME-IN-TIB}/openid-connect/callback`.
* The endpoint to test - `http://localhost:3010/auth/{PROFILE-NAME-IN-TIB}/openid-connect`
## SSO with Auth0
This will walk you through securing access to your Tyk Dashboard using OpenID Connect (OIDC) identity tokens with Auth0. We also have the following video that will walk you through the process.
**Prerequisites**
* A free account with [Auth0](https://auth0.com/)
* A Tyk Self-Managed or Cloud installation
* Our Tyk Identity Broker (TIB). You can use the internal version included with a Tyk Self-Managed installation and Tyk Cloud, or an external version. See [Tyk Identity Broker](/5.12/api-management/external-service-integration#what-is-tyk-identity-broker-tib-) for more details.
### Create a new user in Auth0
1. Log in to your Auth0 account.
2. Select **Users** from the **User Management** menu.
3. Click Create User and complete the new user form, using the default **Username-Password-Authentication** Connection method.
4. Click Create to save your new user.
### Create an Auth0 application
You will use settings from your Auth0 application within the Tyk Dashboard Identity profile you will create.
1. Select Applications from the Auth0 menu.
2. Click **Create Application**.
3. Give your application a name and select **Regular Web Application** from the applications types.
4. Click **Create**.
5. After you application has been created select the **Basic Information** tab.
6. You will use the **Domain**, **Client Id** and **Client Secret** values in the Identity profile you create next in the Tyk Dashboard.
### Create an Identity Management profile in your Dashboard
1. Log in to your Tyk Dashboard as an Admin user.
2. Select **Identity Management** from the **System Management** menu.
3. Click **Create Profile**.
4. In the **Profile action** section enter a name for your profile and make sure the **Login to Tyk Dashboard** option is selected.
5. Click Next. In the **Provider type** section, select **OpenID Connect**.
6. Click Next. Copy the **Client ID** value from your **Auth0 application** > **Basic Information** and paste it in the **Client ID / Key** field.
7. Copy the **Client Secret** value from your **Auth0 application** > **Basic Information** and paste it in the **Secret** field.
8. You need to add a **Discover URL (well known endpoint)**. Use the following URL, replacing `<>` with the **Domain** value from your **Auth0 application** > **Basic Information**.
`https://<>/.well-known/openid-configuration`
9. Copy the **Callback URL** and paste it into the **Allowed Callback URLs** field in your **Auth0 application** > **Basic Information**.
10. Click **Save Changes** to update your Auth0 Application.
11. Click **Create Profile** to save your Identity profile in your Tyk Dashboard.
### Test your Auth0 Login
1. From your **Identity Management Profiles** click the profile you created to open it.
2. Click the **Login URL**.
3. You will now see the Auth0 login form in a browser tab.
4. Enter the email address and password of your Auth0 user.
5. You may be asked to authorize your Auth0 application.
6. Click **Accept**.
7. You will now be taken to the Tyk Dashboard.
## SSO with Keycloak
This is a walk-through of how you can use [Keycloak](https://www.keycloak.org) and our (internal/embedded) Tyk Identity Broker (TIB) to log in to your Dashboard. This guide assumes you have existing Keycloak and Tyk Pro Environments.
### Configuration at KeyCloak
1. In your desired Realm, create a client of OpenID Connect type, and set your desired Client ID.
2. Enable client authentication, then save the client.
3. Retrieve the Secret (from the credentials tab) of the Client you just created. You will need the Client ID and Secret in later steps.
4. Retrieve the discovery endpoint of the realm, `https:///.well-known/openid-configuration`.
This is accessible from “Realm Settings” > “General” Tab > OpenID Endpoint Configuration. You will need it in later steps.
### Configuration at Dashboard
1. Log in to your Dashboard and select Identity Management, located under System Management
2. Create a profile, give it a name and select “Login to Tyk Dashboard”
3. Set the provider type as “OpenID Connect”
4. Fill in the Client ID, Client Secret and Discovery URL/endpoint from Keycloak (from steps 3 and 4 in Keycloak's Side)
5. Copy the callback URL from Tyk and then you can click "Create Profile" to save the profile.
6. Go to Keycloak, and paste the callback URL you just copied to “Valid redirect URIs” in the Keycloak Client, and then save the client.
This can be accessed by selecting the "Settings" tab when viewing a Keycloak client.
### Test Keycloak Login
1. From your **Identity Management Profiles** click the profile you created to open it.
2. Copy the **Login URL** and paste it into a browser tab
3. You will now see the Keycloak login form.
4. Enter the email address and password of your Keycloak user.
5. You should now be redirected to the Tyk Dashboard and logged in
## JSON Web Encryption with OIDC
**Prerequisites**
* Tyk Identity Broker v1.6.1+ or Tyk Dashboard v5.7.0+ (JWE feature is available from these versions and in all subsequent releases).
* An Identity Provider (IdP) that supports JSON Web Encryption (JWE)
* A certificate with a private key for Tyk (used to decrypt the ID token)
* A public key file for the IdP (used to encrypt the ID token)
### Steps for Configuration
1. **Prepare Encryption Keys**
* Load the certificate with the private key into Tyk:
* **For embedded TIB in Dashboard:** Use Tyk Dashboard's certificate manager. In the below image you can see the module in dashboard that allows to upload certificates:
* **For standalone TIB:** Store the certificate as a file accessible to Tyk
* Load the public key into your IdP for ID token encryption (process varies by IdP)
2. **Configure the Identity Provider**
* Create a new client in your IdP for Tyk Identity Broker
3. **Setup OIDC Profile**
* Create a new [TIB profile](/5.12/api-management/external-service-integration#exploring-tib-profiles):
* Select Social > OIDC as the provider
* Enter the client key and client secret from the IdP
* Copy the callback URL from TIB and add it to the IdP client's allowed redirect URLs
* Test the basic SSO flow to ensure it's working correctly
4. **Enable JWE**
* [Updated the TIB profile via API](/5.12/tyk-identity-broker/tib-rest-api#update-profile)
* Add the following fields to the `ProviderConfig` section:
```json theme={null}
...
"ProviderConfig": {
"JWE": {
"Enabled": true,
"PrivateKeyLocation": "CERT-ID"
},
...
```
* Set `PrivateKeyLocation` to either:
* The certificate ID from the certificate manager, or
* The file path where the certificate and private key are stored
* Update the IdP client configuration
* Enable JWE for the client
* Provide the public key for encryption
5. **Verification**
* Test the complete flow with JWE enabled to ensure proper functionality.
### Troubleshooting
While setting up JWE with Tyk Identity Broker, you may encounter some challenges. This section outlines common issues and their solutions to help you navigate the implementation process smoothly.
1. **oauth2: error decoding JWT token: jws: invalid token received, not all parts available** it means that JWE is not enabled in the profile and the IDP is already using JWE.
2. **JWE Private Key not loaded** Tyk encountered some issues while loading the certificate with the private key. Ensure that the path or certId are correct.
4. Go to Overview and add a secret in Client Credentials. Don't forget to copy the secret value, not the secretID.
Check Microsoft's [documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) for more detail.
### Configuration at Dashbaord
1. Log in to your dashboard and select Identity Management, located under System Management
2. Create a profile and select OpenID Connect as the provider type
3. Under Profile Configuration, paste the secret value, clientID, and well-known endpoint URL from the Azure site.
* Profile Configuation may look something like this:
* The well-known endpoint URL is created by Azure and can be located by selecting Endpoints on their site
### Test your Azure Login:
From the browser call `http://localhost:3000/auth/{PROFILE-NAME-IN-TIB}/openid-connect`
* If it's working you'll be redirected to Azures's web page and asked for your username and password.
* If it's working you'll be redirected to Azures's web page and asked for your username and password.
### Enhancements
Once it's working you can also add more enhancements such as automatic user group mapping from your AzureAD security groups or users groups to Tyk Dashboards groups.
#### User group mapping
Group mapping can be managed from Advanced Settings section of the Profile Configuration screen.
As illustrated in the screen below the following information must be provided:
* Identity provider role
* Tyk User Group: This can be created from the User Groups section of the dashboard (reference a link to a page in tyk docs here to show how to create a user group). When creating your User Group, one can also select and adjust the permissions for each group.
For more information on how to set and change user permissions, head to this [guide](/5.12/api-management/user-management#using-dashboard-ui-1)
You can select the scopes you would like your request to include. By default, Tyk will provide the connectid scope, anything additional must be requested.
### OpenID Connect Example
For debugging purposes, you can find an example we created using the OpenID Connect playground.
1. Add the redirect url found on the OpenID Connect site to the redirect urls found under the Web section
2. Copy the OpenID Connect endpoint from the Azure site
3. On the OpenID Connect site select Edit. In the Server Template dropdown menu select the Custom option and paste the endpoint in the Discovery Document URL.
4. Press the Use Discovery Document button and this will autofill Authorization Token Endpoint, Token Endpoint, and Token Keys Endpoint
5. Copy and paste the Client ID and Client Secret from the Azure site to your ConnectID. Scope is autofilled for you and save the configuration.
6. Press start at the bottom of the Request window and if done correctly, this should prompt you to sign in to your Azure account.
7. You should then be redirected back to OpenID Connect where you'll be shown the Exchange Code. This needs to be turned into an access token. Press the exchange button under the request and then press Next.
8. We can then verify this by pressing the verify button. We can also view the information or scope of what is being returned by heading to jwt.io and viewing the payload: data there.
9. We are given an object with key, value pairs and we can pass in the key ie. name to our Custom User Group and the value of to our Identity Provider Role in our Tyk dashboard as shown in the example above.
To try this yourself, we have included the link: [https://openidconnect.net/](https://openidconnect.net/)
## SSO with Okta
This is an end-to-end worked example of how you can use [Okta](https://www.okta.com/) and the Tyk Identity Broker to log into your Dashboard.
This guide assumes the following:
* You already have authorized access to Tyk's Dashboard. If you haven't, [get the authorization key by following this doc](/5.12/api-management/user-management#using-dashboard-api).
* For simplicity, you are running TIB locally on port 3010
* You are able to edit TIB's configuration file.
### Configuration at Okta
1. Create a developer account on the [Okta Developer site](https://developer.okta.com/).
You'll get a domain such as `https://
### Configuration at TIB
6. Set the profile in `profiles.json` as follows:
* Copy from your Okta client the `cliend ID` to `ProviderConfig.UseProviders[].key`
* Copy from your Okta client the `Client secret` to `ProviderConfig.UseProviders[].secret`
* Add Okta's discovery url `"https://
2. I had to download the Google Authenticator and identify with the generated code
3. I successfully authenticated with Google Authenticator
### Common Error
If you get a `400 Bad Request` it means the profile name in the login endpoint is not identical to the profile name in the callback that you set up on Okta's app:
* On Okta's app - `Login redirect URIs:` `http://localhost:3010/auth/{PROFILE-NAME-IN-TIB}/openid-connect/callback`.
* The endpoint to test - `http://localhost:3010/auth/{PROFILE-NAME-IN-TIB}/openid-connect`
## SSO with Auth0
This will walk you through securing access to your Tyk Dashboard using OpenID Connect (OIDC) identity tokens with Auth0. We also have the following video that will walk you through the process.
**Prerequisites**
* A free account with [Auth0](https://auth0.com/)
* A Tyk Self-Managed or Cloud installation
* Our Tyk Identity Broker (TIB). You can use the internal version included with a Tyk Self-Managed installation and Tyk Cloud, or an external version. See [Tyk Identity Broker](/5.12/api-management/external-service-integration#what-is-tyk-identity-broker-tib-) for more details.
### Create a new user in Auth0
1. Log in to your Auth0 account.
2. Select **Users** from the **User Management** menu.
3. Click Create User and complete the new user form, using the default **Username-Password-Authentication** Connection method.
4. Click Create to save your new user.
### Create an Auth0 application
You will use settings from your Auth0 application within the Tyk Dashboard Identity profile you will create.
1. Select Applications from the Auth0 menu.
2. Click **Create Application**.
3. Give your application a name and select **Regular Web Application** from the applications types.
4. Click **Create**.
5. After you application has been created select the **Basic Information** tab.
6. You will use the **Domain**, **Client Id** and **Client Secret** values in the Identity profile you create next in the Tyk Dashboard.
### Create an Identity Management profile in your Dashboard
1. Log in to your Tyk Dashboard as an Admin user.
2. Select **Identity Management** from the **System Management** menu.
3. Click **Create Profile**.
4. In the **Profile action** section enter a name for your profile and make sure the **Login to Tyk Dashboard** option is selected.
5. Click Next. In the **Provider type** section, select **OpenID Connect**.
6. Click Next. Copy the **Client ID** value from your **Auth0 application** > **Basic Information** and paste it in the **Client ID / Key** field.
7. Copy the **Client Secret** value from your **Auth0 application** > **Basic Information** and paste it in the **Secret** field.
8. You need to add a **Discover URL (well known endpoint)**. Use the following URL, replacing `<
9. Copy the **Callback URL** and paste it into the **Allowed Callback URLs** field in your **Auth0 application** > **Basic Information**.
10. Click **Save Changes** to update your Auth0 Application.
11. Click **Create Profile** to save your Identity profile in your Tyk Dashboard.
### Test your Auth0 Login
1. From your **Identity Management Profiles** click the profile you created to open it.
2. Click the **Login URL**.
3. You will now see the Auth0 login form in a browser tab.
4. Enter the email address and password of your Auth0 user.
5. You may be asked to authorize your Auth0 application.
6. Click **Accept**.
7. You will now be taken to the Tyk Dashboard.
## SSO with Keycloak
This is a walk-through of how you can use [Keycloak](https://www.keycloak.org) and our (internal/embedded) Tyk Identity Broker (TIB) to log in to your Dashboard. This guide assumes you have existing Keycloak and Tyk Pro Environments.
### Configuration at KeyCloak
1. In your desired Realm, create a client of OpenID Connect type, and set your desired Client ID.
2. Enable client authentication, then save the client.
3. Retrieve the Secret (from the credentials tab) of the Client you just created. You will need the Client ID and Secret in later steps.
4. Retrieve the discovery endpoint of the realm, `https://
### Configuration at Dashboard
1. Log in to your Dashboard and select Identity Management, located under System Management
2. Create a profile, give it a name and select “Login to Tyk Dashboard”
3. Set the provider type as “OpenID Connect”
4. Fill in the Client ID, Client Secret and Discovery URL/endpoint from Keycloak (from steps 3 and 4 in Keycloak's Side)
5. Copy the callback URL from Tyk and then you can click "Create Profile" to save the profile.
6. Go to Keycloak, and paste the callback URL you just copied to “Valid redirect URIs” in the Keycloak Client, and then save the client.
This can be accessed by selecting the "Settings" tab when viewing a Keycloak client.
### Test Keycloak Login
1. From your **Identity Management Profiles** click the profile you created to open it.
2. Copy the **Login URL** and paste it into a browser tab
3. You will now see the Keycloak login form.
4. Enter the email address and password of your Keycloak user.
5. You should now be redirected to the Tyk Dashboard and logged in
## JSON Web Encryption with OIDC
**Prerequisites**
* Tyk Identity Broker v1.6.1+ or Tyk Dashboard v5.7.0+ (JWE feature is available from these versions and in all subsequent releases).
* An Identity Provider (IdP) that supports JSON Web Encryption (JWE)
* A certificate with a private key for Tyk (used to decrypt the ID token)
* A public key file for the IdP (used to encrypt the ID token)
### Steps for Configuration
1. **Prepare Encryption Keys**
* Load the certificate with the private key into Tyk:
* **For embedded TIB in Dashboard:** Use Tyk Dashboard's certificate manager. In the below image you can see the module in dashboard that allows to upload certificates:
* **For standalone TIB:** Store the certificate as a file accessible to Tyk
* Load the public key into your IdP for ID token encryption (process varies by IdP)
2. **Configure the Identity Provider**
* Create a new client in your IdP for Tyk Identity Broker
3. **Setup OIDC Profile**
* Create a new [TIB profile](/5.12/api-management/external-service-integration#exploring-tib-profiles):
* Select Social > OIDC as the provider
* Enter the client key and client secret from the IdP
* Copy the callback URL from TIB and add it to the IdP client's allowed redirect URLs
* Test the basic SSO flow to ensure it's working correctly
4. **Enable JWE**
* [Updated the TIB profile via API](/5.12/tyk-identity-broker/tib-rest-api#update-profile)
* Add the following fields to the `ProviderConfig` section:
```json theme={null}
...
"ProviderConfig": {
"JWE": {
"Enabled": true,
"PrivateKeyLocation": "CERT-ID"
},
...
```
* Set `PrivateKeyLocation` to either:
* The certificate ID from the certificate manager, or
* The file path where the certificate and private key are stored
* Update the IdP client configuration
* Enable JWE for the client
* Provide the public key for encryption
5. **Verification**
* Test the complete flow with JWE enabled to ensure proper functionality.
### Troubleshooting
While setting up JWE with Tyk Identity Broker, you may encounter some challenges. This section outlines common issues and their solutions to help you navigate the implementation process smoothly.
1. **oauth2: error decoding JWT token: jws: invalid token received, not all parts available** it means that JWE is not enabled in the profile and the IDP is already using JWE.
2. **JWE Private Key not loaded** Tyk encountered some issues while loading the certificate with the private key. Ensure that the path or certId are correct.