Single Sign-On with OAuth 2 and OpenID Connect

Many organizations utilize an Identity Provider to manage their user authentication and authorization. The Single Sign-On (SSO) feature leverages a company's existing identity infrastructure to allow authorized users to access resources in SynaMan. Using an Identity Provider is an alternate solution to using LDAP/AD or creating local users in SynaMan.

Benefits of Using SSO

  • Users have to remember fewer passwords
  • Typically, a company portal redirects users to SynaMan's web interface, which streamlines the process of signing and using applications.
  • Organizations can use a single set of policies for authentication, such as two-factor authentication.


SynaMan can be integrated with any Identity Provider that support OAuth 2 along with OpenID Connect (OIDC). The actual Identity Provider could be on a public cloud or installed within a company's LAN.

Tutorial Videos

In order to get you started quickly, it is recommended you watch the following videos. The first video talks about installing and configuring KeyKloak server, which is an open source Id Server. The second video demonstrate integrating SynaMan with KeyKloak.


Following is a step-by-step instructions on how to configure KeyKloak with SynaMan.
  • Download, install and configure KeyKloak server as demonstrated in the first video above. If you're using a different Identity Provider, following the documentation for that to configure it. In short, you MUST perform the following tasks in the Identity Provider before configuring it with SynaMan.
    • Create a ClientID for SynaMan.
    • Create at least two users. Designate of them as the admin account.
    • Note down the metadata URL for the server. Contact the support for the server's if you're using an Identity Server on a public cloud.
  • Log in to SynaMan as 'admin'.
  • Click on the Security tab.
  • Specify the user id for admin. This user MUST be a valid user in the Identity Server. Save the settings. This is a VERY IMPORTANT step. Failure to change the user ID will get you locked out of SynaMan.
  • Click on Single Sign-On tab.
  • Specify the Auth Metadata URL as provided by your identify provider.
  • Specify the ClientID.
  • Client Secret is optional. Only include a client secret if you have configured this client with a secret in your Identity Provider.
  • Check the box to enable SSO.
  • Restart SynaMan

Importing Existing Users

Existing users are imported automatically, provided a user ID exists in the Identity Portal matching the existing user name.

Temporarily Disabling SSO

If you forget to modify the user name for the administrator's account, as mentioned above, the only way to gain access is to temporarily disable SSO. This is done by following the steps below.
  • Connect to the machine where SynaMan is running.
  • Using Windows File Explorer, go to $INSTALL_DIR\config folder. $INSTALL_DIR refers to the folder where SynaMan is installed.
  • Rename OAuthConfig.xml to a different name.
  • Restart SynaMan

Comparing SSO with LDAP/AD and local login

With the introduction of SSO, now there are three different mechanisms to manage user authentications:

  • Local users in SynaMan
  • User credentials that come from an Active Directory/LDAP server
  • SSO, which comes from an Identity Provider supporting OAuth with OpenID Connect. It is important to note that using SSO will automatically disable the first two mechanisms.

Following table mentions some differences in all of these mechanisms.

Features Local Accounts Active Directory SSO
User Scope 100% local to SynaMan. Allowing users outside your organization to have an account. Integrated with your Windows login account. This is typically inside your LAN but could also be on a public cloud. Integrated with other web portals in your company.
Sessions Maintained within SynaMan. User will have to log in again once the session expires. Maintained within SynaMan. User will have to log in again once the session expires. Maintained by the identity server. Users will stay logged for a longer period of time.
Mixing Can be mixed with AD/LDAP. Meaning some users can be local while others come from AD. Can be mixed with local users. Cannot be mixed with other mechanisms. Using SSO will disable the other two.


Social Media

Powered by