How to set up an Identity Provider in Agora¶

To configure an external Identity Provider for your Agora organization, an admin user with the role global_admin is required. Once logged in, the admin user can configure the Identity Provider by selecting the IdP menu option on the Organization Admin Panel page.

Prior to starting the IdP configuration in Agora, ensure your Identity Provider itself is configured to integrate with Agora as explained in sections Okta Configuration or EntraID Configuration.

To complete the IdP configuration in Agora we recommend using the OpenID Connect Discovery URL provided by your Identity Provider. Entering this URL into the Discovery endpoint URL field and clicking on the Fetch and Fill button will automatically populate the IdP’s details in Agora from information returned by your Identity Provider. Once entered, add the Client ID and Client Secret generated by your Identity Provider when creating the Agora application.

The following information is required to complete the IdP configuration in Agora:

• Authorization URL: Identity Provider URL to log in and authorize users.

• JWKS URL: Identity Provider URL that provides public keys to verify the signature of the JSON Web Token.

• Token URL: Identity Provider URL to request tokens.

• Logout URL: Identity Provider URL used to log out the user.

• Issuer: Unique identifier for the authorization server that issued the tokens used to validate the source of the token.

• Validate signatures: Check to validate token signatures with the Identity Provider’s public keys.

• Token claim with the user’s login: The Claim attribute in the JSON Web Token that holds the user’s login information.

• Client ID: Unique identifier for the application configured in the Identity Provider.

• Client secret: Key used to authenticate the application in the Identity Provider.

Once all the details above have been entered correctly, the configuration can be saved. On saving, Agora generates two redirect URIs, log in and post logout, that must subsequently be configured in the Agora application created in your Identity Provider.

After the configuration is completed, any users who were already logged in to your Agora organization, must logout and re-login to be authenticated by the configured external IdP.

How to Register Users in Agora After Configuring an Identity Provider¶

In order to add new users to an Agora organization configured with an external Identity Provider, a global_admin or global_user_admin role is required. Users with these roles can add new users as described in the Manage Users section of the Agora Quick Start Guide. The email address of any new users created in Agora, must match the email address configured for them in the external Identity Provider.

How to Log in to Agora After Configuring an Identity Provider¶

After configuring an Identity Provider for your Agora organization, existing organizational users will login through the external Identity Provider (assuming the email address they used when joining your Agora organization matches the email address configured for them in the external Identity Provider). The one exception to this rule would be Agora users with a global_admin role, these users always login into Agora using their Agora credentials.

To log in through the Identity Provider, your organizational users will:

1. Navigate to the Agora log in page and click on the Sign in to an organization link.

   

2. Enter the id of your organization, and click Continue.

   

3. Fill the email and click the Continue button.

   

4. If the user doesn’t have the global_admin role, your configured Identity Provider log in page should appear, where the user can enter their credentials.

   Note

   Users with the global_admin role, after entering their email address and clicking continue, will be redirected to the Agora log in page, where they must enter their Agora credentials.

5. If the Identity Provider authenticates the user successfully, the user will be logged in to Agora and redirected back to the Agora web application.