Single-Sign-On
Endatix supports Keycloak and OAuth 2.0 / OpenID Connect for single sign-on. Configure authentication once on the API and Hub and your existing identity provider manages credentials, sessions, and roles.
Use your existing identity provider.
Configure Keycloak, Google Authentication, or any other OAuth 2.0 provider.
- API validates tokens with configurable issuer and audience checks
- Role assignments can be pulled from Keycloak via token introspection
- Federated sign-out clears both the Hub session and the Keycloak SSO session
- Endatix JWT auth continues to work alongside Keycloak for API-only clients
Auth capabilities
Keycloak OIDC
Full OpenID Connect support via Keycloak. Supports Authorization Code Flow, federated sign-out, and role mapping from Keycloak realm roles.
Built-in JWT Auth
Endatix ships with its own JWT provider for deployments that don't need an external IdP. Access tokens (15 min) and refresh tokens (7 days) with configurable expiry.
Role-Based Access Control
RBAC is enforced at the API level. Roles can be sourced from Endatix's own JWT claims or introspected from Keycloak tokens — enabling external role management.
Federated Sign-Out
Hub signs out locally then redirects to the Keycloak end-session endpoint. The Keycloak SSO session is cleared, so re-login always prompts for credentials.
Token Introspection
For RBAC with Keycloak, the API supports token introspection to fetch up-to-date role assignments from the Keycloak server rather than relying solely on JWT claims.
Dual Provider Support
Run the Endatix JWT provider alongside the Keycloak provider simultaneously. Users authenticated via either path can access the same API.
Your identity provider. Our data collection.
Connect Keycloak and let your team log in the same way they access everything else in your organization.
Your identity provider. Our data collection.
Connect Keycloak and let your team sign in once — everywhere.
Talk to us