OpenID Connect (Single Sign-On)

Traccar can authenticate users with a third-party identity provider supporting the OpenID Connect protocol. This includes enterprise directories such as Okta, self-hosted apps like Authelia and public services like Google.

The authentication process is as follows:

As with the LDAP integration, an internal representation of the user still exists, and admin rights can automatically be given using the adminGroup configuration option.

Configuration

Additionally, you will most likely need to set the web.url property to provide the identity provider with the correct redirect URL.

In nearly all cases, the required configuration URLs will automatically be fetched from the "well-known" endpoint if openid.issuerUrl is set.

You can also configure OpenID manually by setting openid.authUrl, openid.tokenUrl and openid.userInfoUrl and omitting openid.issuerUrl.

An example of the well-known endpoint for Google is https://accounts.google.com/.well-known/openid-configuration, with the issuer URL of https://accounts.google.com.

Provider-specific example - Google

Note: The Google OpenID endpoint does not provide a "groups" claim, so openid.adminGroup will not work with it. You will need to configure a local admin user before enabling SSO in Traccar.

Implementation details

Traccar uses the OpenID Connect code flow and requires the following scopes:

The Traccar callback URL is /api/session/openid/callback.