Single Sign-On (SSO) via OIDC
CTFFactory supports federated authentication using OpenID Connect (OIDC), allowing your team to sign in with your corporate identity provider (IdP). When SSO is enabled, CTFFactory acts as an OIDC relying party β it delegates authentication to your IdP and receives identity claims in return.
Supported Identity Providers
Any standards-compliant OIDC 1.0 identity provider is supported, including but not limited to:
- Microsoft Entra ID (Azure AD)
- Okta
- Google Workspace
- Keycloak
- Auth0
- Ping Identity
- OneLogin
The configuration process is identical regardless of provider. You will need the ability to register a new OIDC application in your IdP's admin console.
How the OIDC Flow Works
- A user navigates to your CTFFactory workspace login page.
- They click Sign in with SSO (or are redirected automatically if SSO is enforced).
- CTFFactory redirects the browser to your IdP's authorization endpoint.
- The user authenticates with the IdP (password, MFA, etc., managed entirely by your IdP).
- The IdP redirects back to CTFFactory with an authorization code.
- CTFFactory exchanges the code for ID and access tokens at your IdP's token endpoint.
- CTFFactory reads the identity claims from the ID token and creates or updates the user session.
CTFFactory never sees or stores the user's IdP password. All credential verification is handled by your IdP.
Required IdP Settings
When registering CTFFactory as an OIDC application in your IdP, use the following values:
| IdP Field | Value |
|---|---|
| Application type | Web application (confidential client) |
| Redirect URI | https://app.ctffactory.io/auth/oidc/callback |
| Logout redirect URI | https://app.ctffactory.io/auth/oidc/logout |
| Grant types | Authorization Code |
| Response types | code |
| Scopes requested | openid email profile |
After registering the application, collect the following values from your IdP β you will enter these into CTFFactory's SSO configuration page:
| Setting | Description |
|---|---|
| Client ID | The application/client identifier assigned by your IdP |
| Client Secret | The corresponding secret (keep this confidential) |
| Discovery URL | The OIDC well-known configuration URL, e.g., https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration |
CTFFactory uses the discovery URL to automatically retrieve the authorization endpoint, token endpoint, JWKS URI, and other metadata. You do not need to enter these individually.
Configuring SSO in CTFFactory
- Navigate to Workspace Settings > Security > Single Sign-On.
- Click Configure SSO.
- Enter your Client ID, Client Secret, and Discovery URL.
- Click Test Connection. CTFFactory will attempt to fetch the discovery document and validate the configuration. A green checkmark confirms success.
- Configure Attribute Mapping (see below).
- Click Save. SSO is saved but not yet enabled.
- Toggle Enable SSO to activate it.
Attribute Mapping
CTFFactory reads identity claims from the OIDC ID token to populate the user's profile. The default claim mapping works with most providers out of the box:
| CTFFactory Field | Default OIDC Claim | Notes |
|---|---|---|
email |
Required; used as the unique identifier | |
| Display name | name |
Falls back to preferred_username if absent |
| First name | given_name |
Optional |
| Last name | family_name |
Optional |
If your IdP uses non-standard claim names, you can override each mapping in the Attribute Mapping section of the SSO configuration page.
Enabling and Disabling SSO
| State | Behavior |
|---|---|
| SSO disabled | All users sign in with CTFFactory email/password (and MFA if enabled). The SSO button is hidden. |
| SSO enabled (optional) | Users may sign in with either email/password or SSO. Both options appear on the login page. |
| SSO enforced | All workspace members must sign in via SSO. Email/password login is disabled for non-Owner accounts. |
SSO enforcement is configured under Workspace Settings > Security > Single Sign-On > Enforcement Mode.
Before enforcing SSO: Ensure that every active workspace member has a corresponding account in your IdP. Members who cannot authenticate via SSO will be locked out. The workspace Owner can always disable enforcement via the settings page.
Automatic User Provisioning
When a user authenticates via SSO for the first time, CTFFactory automatically creates an account for them using the identity claims from the ID token. New SSO-provisioned users are assigned the Member role by default. Admins and Owners can change the default provisioning role under SSO Settings > Default Role for New SSO Users.
Previously invited users who sign in via SSO are matched by email address and merged with their existing account.