Developer Guide / Auth Providers & SSO

Auth Providers & SSO

Connect external identity providers and single sign-on.

Beyond local accounts, Magic Varsh can authenticate users through external identity providers. Providers are configured under Settings → Auth and stored in the settings.auth_provider table. Once enabled, a provider's button appears on the login page.

Configuring authentication providers under Settings → Auth.
Configuring authentication providers under Settings → Auth.

Setup flow

  1. Register your application with the provider and obtain its credentials.
  2. Open Settings → Auth, choose the provider, and enter the credentials.
  3. Whitelist the redirect URI https://<portal>/login/<provider-key>/callback in the provider console.
  4. Enable the provider. Its status moves Not configured → Configured → Active.
  5. Test via https://<portal>/login/<provider-key>/test.
i
Saved secrets are masked (••••••••). For local development the redirect also accepts http://localhost:3000/login/<provider-key>/callback.

Supported providers

GroupProviders
Enterprise SSOOpenID Connect, OAuth 2.0, SAML 2.0, LDAP / Active Directory, Microsoft Entra ID, Okta, Auth0, Google Workspace, Keycloak, WSO2, Authentik, Ping Identity
Social loginGoogle, Microsoft, Apple, Meta, LinkedIn, GitHub
PasswordlessWebAuthn / Passkeys, FIDO2, Magic Link (email), OTP (SMS/email)
National / Government IDAadhaar (UIDAI), UAE PASS, Singpass, BankID

Common config keys

  • OIDC: issuer_url, client_id, client_secret (discovery via /.well-known/openid-configuration).
  • OAuth 2.0: authorization_url, token_url, client_id, client_secret.
  • SAML 2.0: entity_id, sso_url, x509_certificate.
  • LDAP: host, base_dn, bind_dn, bind_password.
  • Microsoft Entra ID: tenant_id, client_id, client_secret.
  • UAE PASS: client_id, client_secret, environment (default staging).
i
OTP supports channel (sms/email/both), otp_length (default 6) and expiry_minutes (default 5); SMS via Twilio, Nexmo or AWS SNS. Magic Link uses the portal SMTP with a configurable token expiry.