Before you start
You will need:- Admin access to your identity provider so you can register a new application.
- A running Context7 On-Premise instance that you can reach in your browser.
- The Context7 admin password. On a fresh install it is
admin/adminuntil you change it.
Only one SSO provider can be active at a time. If you already have Microsoft Entra ID configured, enabling OIDC will automatically disable Entra, and vice versa.
Part 1: Register Context7 in your identity provider
The exact steps depend on your provider, but the end result is the same in every case: you need a client ID, a client secret, and your provider’s issuer URL.What to configure in your IdP
Create a new application or client in your identity provider and set the following:- Application type: Confidential (server-side) web application.
- Allowed grant type: Authorization Code.
- Redirect URI / Callback URL:
https://<your-context7-host>/api/auth/oidc/callback. The exact URL is shown in the Context7 settings card once you open it, and there is a copy button next to it.
code_challenge regardless of whether the provider requires it.
Group claims (for role mapping)
Context7 maps a group claim in the token to admin or member roles. Most providers let you include group membership in the ID token or expose it from the UserInfo endpoint. Either location works; Context7 checks both. In your IdP, configure the application to include the user’s groups in the token. The default claim name Context7 looks for isgroups. Common provider-specific steps:
- Okta: add a Groups claim to the authorization server with a filter matching the groups you want to expose.
- Keycloak: enable the
groupsscope or add a Group Membership mapper to the client. - Auth0: add a custom claim action that sets
groupsfrom the user’s app metadata or roles.
Part 2: Configure Context7
Open the SSO settings card
Sign in to your Context7 dashboard with the admin account. Open Teamspace Settings, scroll to the Authentication section, and click the Single Sign-On card. Select the OIDC tab.

Fill in the connection details
Toggle Enable OIDC on, then fill in the fields:
- Button label: the text shown on the sign-in button on the login page. Something like your company name or “Sign in with Acme” works well.
- Issuer URL: your provider’s base URL. Context7 appends
/.well-known/openid-configurationto discover endpoints automatically. For Okta this looks likehttps://your-org.okta.com, for Keycloak it ishttps://keycloak.example.com/realms/your-realm. - Client ID: the client or application ID from your IdP registration.
- Client Secret: the secret generated by your IdP. Context7 stores this encrypted and never returns it to the browser after saving.
- Scopes: space-separated scopes to request. The default
openid profile emailworks for most setups. Addgroupsor any custom scope your IdP requires to include group membership.
Configure group mapping
The Group mapping section controls which users get which role in Context7.

- Groups claim: the name of the claim in the token that contains the user’s groups. Default is
groups. - Admin group value: the exact group name that maps to the Context7 admin role. Admins can open Teamspace Settings and manage other users.
- Member group value: the exact group name that maps to the member role. Members can use the workspace but cannot access settings.
Test the connection
Click Test connection before saving. Context7 fetches your provider’s discovery document and confirms the required endpoints are present and reachable. A green banner means everything looks good. A red error usually means the issuer URL is wrong or the provider is not accessible from the Context7 server.
Part 3: Sign in
Open/login in a new browser window. You will see a Continue with [your button label] button at the top of the sign-in card.

Disabling password sign-in
Once OIDC is live, you can turn off password-based sign-in entirely so that all users must authenticate through your IdP. Open the Password sign-in card directly below the SSO card and toggle it off.
Managing users
All users who have signed in appear in Teamspace Settings → Users, along with their authentication provider and last login time.
Troubleshooting
”OIDC SSO is not configured”
The toggle is on but some required fields are missing or the config was not saved. Open the OIDC tab in the SSO card and check that Issuer URL, Client ID, and Client Secret are all filled in, then click Save & Apply.Test connection fails
The most common reasons are:- Wrong issuer URL: double-check it does not include a trailing slash and points to your realm root. For Keycloak, the format is
https://host/realms/realm-name, nothttps://host/auth/realms/realm-name(the/authprefix was removed in Keycloak 17). - Network access: the Context7 server must be able to reach your IdP’s HTTPS endpoint. If you are running air-gapped or on an internal network, confirm there is no firewall blocking outbound requests to your IdP from the server.
”This account is not assigned a supported Context7 group”
The user authenticated successfully but their token did not contain either of the configured group values. Check that:- The groups claim is included in the token from your IdP (use your IdP’s token preview or decode the returned JWT at jwt.io).
- The Groups claim field in Context7 matches the claim name exactly (case-sensitive).
- The Admin group value or Member group value matches the group name exactly, including casing and spacing.
”Single sign-on session expired. Please try again.”
The short-lived cookie that tracks the in-progress sign-in was lost between the redirect to the IdP and the return. The most common causes are:- Starting the flow on one hostname and returning on a different one (for example,
localhost:3000vslocalhost:5173). - A browser or proxy stripping the session cookie.
- Taking longer than 10 minutes to complete the IdP login, which is when the cookie expires.
Redirect URI mismatch
If your IdP returns a redirect URI error, the callback URL you registered in the IdP does not exactly match what Context7 sends. Copy the Callback URL from the Context7 settings card using the copy button and paste it verbatim into your IdP’s allowed redirect URIs. Pay attention tohttp vs https and the port number.
If Context7 is behind a reverse proxy, make sure the proxy forwards the Host and X-Forwarded-Proto headers correctly so Context7 can build the right callback URL.
For anything not covered here, contact context7@upstash.com.