Docs/Single sign-on

Generic OIDC

~10 minutes

For any OpenID Connect 1.0 provider not covered by a dedicated guide — Keycloak, Authelia, Ping Identity, Curity, JumpCloud, OneLogin, and others. The steps below are the universal shape; consult your provider's docs for the exact menu labels.

Before you start

An OIDC-compliant identity provider with an admin console.
Permission to register a new client application in that provider.
Your Wando contact on standby to receive the credentials at the end.

Steps

1
Register a new client / application
In your IdP's admin console, create a new OIDC client. Most providers call this "Application", "Client", "Service Provider" or "Relying Party". Choose a "confidential" or "web server" client type — Wando authenticates with a client secret on the back channel, so public/SPA client types are not appropriate.
2
Set the redirect URI
Configure the allowed callback / redirect URI to:
```
https://www.wando.tromb.com/api/auth/callback/<your-provider-id>
```
Replace `<your-provider-id>` with the slug you'll use in Wando. Wando rejects callbacks whose URL does not match exactly, so check scheme, host and trailing slash.
3
Enable the Authorization Code flow
Wando uses Authorization Code with a confidential client. Enable that grant type; you can leave others (implicit, client credentials, device code) off.
4
Set the scopes
Grant the client these standard OIDC scopes. Wando reads the user's email from the ID token and uses the rest for the profile.
Required scopes
openid, email, profile
Optional
offline_access (if refresh tokens are needed)
5
Confirm the OIDC discovery endpoint
Wando reads authorize / token / userinfo / JWKS endpoints from your IdP's discovery document. Verify it returns valid JSON at:
```
<your-issuer-url>/.well-known/openid-configuration
```
The "issuer" field inside that JSON must match the issuer URL you paste into Wando exactly.
6
Copy the Client ID and Client secret
Save both values somewhere safe — many IdPs only display the secret once. Wando stores the secret encrypted at rest.

Hand off to Wando

Send your values to your Wando contact

hej@wando.app

Send the values below to your Wando contact. They will wire them into your organisation's SSO config — Wando discovers the rest from the issuer URL automatically.

Suggested provider ID: A lowercase slug, e.g. "keycloak-acme"
Issuer URL: Your IdP's issuer, e.g. https://login.acme.com/realms/acme
Email domain: acme.com
Client ID: From step 6
Client secret: From step 6

Steps

Register a new client / application

In your IdP's admin console, create a new OIDC client. Most providers call this "Application", "Client", "Service Provider" or "Relying Party". Choose a "confidential" or "web server" client type — Wando authenticates with a client secret on the back channel, so public/SPA client types are not appropriate.

Set the redirect URI

Configure the allowed callback / redirect URI to:

https://www.wando.tromb.com/api/auth/callback/<your-provider-id>

Replace `<your-provider-id>` with the slug you'll use in Wando. Wando rejects callbacks whose URL does not match exactly, so check scheme, host and trailing slash.

Enable the Authorization Code flow

Wando uses Authorization Code with a confidential client. Enable that grant type; you can leave others (implicit, client credentials, device code) off.

Set the scopes

Grant the client these standard OIDC scopes. Wando reads the user's email from the ID token and uses the rest for the profile.

Required scopes: openid, email, profile
Optional: offline_access (if refresh tokens are needed)

Confirm the OIDC discovery endpoint

Wando reads authorize / token / userinfo / JWKS endpoints from your IdP's discovery document. Verify it returns valid JSON at:

<your-issuer-url>/.well-known/openid-configuration

The "issuer" field inside that JSON must match the issuer URL you paste into Wando exactly.

Copy the Client ID and Client secret

Save both values somewhere safe — many IdPs only display the secret once. Wando stores the secret encrypted at rest.