SSO Configuration

FanFest's SSO management dashboard lets channel administrators configure OAuth/OIDC providers, create web applications, and manage allowed origins -- all from within the platform. This enables seamless authentication between your existing identity provider and FanFest.

TIP

This page covers SSO configuration from the admin perspective -- setting up providers and web apps in the FanFest dashboard. For the developer perspective on integrating SSO into your application, see the SSO Integration Guide.

Accessing SSO Management

Navigate to your channel
Click the Settings gear icon
Select SSO Management from the dropdown

The SSO management dashboard has a sidebar with three sections:

Catalogs -- Browse and manage available OAuth provider templates
Providers -- Configure OAuth providers with your credentials
Web Apps -- Create web applications that use your providers

SSO Management dashboard showing the sidebar navigation with Catalogs, Providers, and Web Apps sections

Concepts

Before configuring SSO, it helps to understand the three-layer model:

Catalog -- A template defining an OAuth provider type (e.g., "Auth0", "Okta", "Azure AD"). Catalogs have versioned releases that specify the provider's endpoints and behavior. Global catalogs are available to all channels; channel-specific catalogs can be created for custom providers.
Provider -- A channel-level configuration that connects a catalog release to your specific OAuth credentials (client ID, client secret, redirect URIs). Each channel can have multiple providers.
Web App -- A client application that authenticates through a provider. Web apps have their own app ID (used as the clientId in the SDK), allowed scopes, and allowed origins. This is what your frontend integration references.

The relationship is: Catalog (1) -> Releases (many) -> Provider (uses one release) -> Web App (uses one provider)

Managing Catalogs

Catalogs define the OAuth provider types available for your channel.

Viewing Catalogs

The Catalogs page lists all available catalogs with:

Label -- The provider name (e.g., "Auth0")
Key -- A unique identifier for the catalog
Scope -- Whether the catalog is global (available to all channels) or channel-specific
Releases -- How many versioned releases exist for this catalog

Creating a Catalog

Channel administrators and system admins can create new catalogs for custom OAuth providers:

Click Add Catalog
Enter the catalog label and key
Save the catalog

After creating a catalog, you need to add at least one release before it can be used by providers.

Viewing Releases

Click View Releases on a catalog to see its versioned releases. Each release includes a version number and status.

INFO

Global catalogs (not owned by any channel) can only be deleted by system administrators. Channel-specific catalogs can be deleted by channel admins, but only if they have no releases.

Configuring Providers

Providers connect a catalog release to your specific OAuth credentials.

Creating a Provider

Navigate to the Providers section
Click Add Provider
Fill in the configuration:

Field	Required	Description
Provider Release	Yes	Select a catalog and version (e.g., "Auth0 - v1.0")
Client Type	Yes	`Public` or `Confidential` -- determines whether a client secret is required
Client ID	Yes	Your OAuth client ID from the identity provider
Client Secret	For confidential clients	Your OAuth client secret
PKCE Required	No (default: enabled)	Whether to require Proof Key for Code Exchange
Allowed Redirect URIs	Yes (at least one)	The URIs your identity provider is allowed to redirect back to

Click Save

Client Types

Confidential -- For server-side applications that can securely store a client secret. Requires the client secret field.
Public -- For browser-based or mobile applications that cannot securely store secrets. No client secret required; PKCE is recommended.

Editing a Provider

Click Edit on an existing provider to update its configuration. Note that the catalog release and client type cannot be changed after creation -- you need to delete and recreate the provider.

When editing, the client secret field is empty for security. Leave it blank to keep the existing secret, or enter a new value to update it.

Enabling and Disabling Providers

Toggle a provider's enabled state using the Enable/Disable button. Disabled providers cannot be used for authentication but are preserved for re-enabling later.

Deleting a Provider

Click Delete and confirm to permanently remove a provider. This also affects any web apps using the provider.

Managing Web Apps

Web apps represent the client applications that authenticate through your providers. The web app's app_id is what you use as the clientId when initializing the FanFest SDK.

Creating a Web App

Navigate to the Web Apps section
Click Add Web App
Fill in the configuration:

Field	Required	Description
Friendly Name	Yes	A descriptive name for the web app (e.g., "Production Site", "Staging Environment")
Provider	Yes	Select which OAuth provider this web app uses
PKCE Required	No (default: enabled)	Whether PKCE is required for this web app
Allowed Scopes	No	Which OAuth scopes the web app can request

Click Save

Allowed Scopes

The web app configuration includes scope selection. Common scopes:

Scope	Description
`openid`	Required -- Enables OpenID Connect authentication
`email`	Required -- Access to the user's email address
`profile`	User's profile information (name, picture)
`phone`	User's phone number
`address`	User's address information

The openid and email scopes are required for FanFest SSO to function correctly.

Managing Origins

Each web app has a list of allowed origins -- the domains from which authentication requests are accepted. Click Manage Origins on a web app to add or remove origins.

Origins must be full URLs including the protocol (e.g., https://example.com). Add each domain where the FanFest SDK will be embedded.

Web App States

Web apps have a state that indicates their current status (e.g., active, disabled). The state badge is displayed next to the web app name in the list view.

Editing and Deleting Web Apps

Edit -- Update the friendly name, allowed scopes, and PKCE settings. The provider cannot be changed after creation.
Delete -- Permanently remove the web app. This immediately invalidates the app ID, so any SDK instances using it will no longer authenticate.

Configuration Workflow

A typical SSO setup follows this sequence:

Check catalogs -- Verify that your identity provider has a catalog entry (e.g., Auth0, Okta). If not, create a custom catalog.
Create a provider -- Configure your OAuth credentials for the catalog.
Create a web app -- Set up the client application with the appropriate scopes.
Add origins -- Whitelist the domains where your SDK embed runs.
Use the app ID -- Copy the web app's app_id and use it as the clientId when initializing the FanFest SDK.

FanFestSDK.init({
  clientId: 'YOUR_WEB_APP_ID'  // The app_id from your web app configuration
})

Permissions

SSO management requires the Admin role. The SSO management sidebar only appears for channel Admins.

SSO Integration Guide -- Developer guide for implementing SSO in your application
Auth0 Example -- Step-by-step Auth0 integration walkthrough
User Identification -- How FanFest identifies users across sessions

SSO Configuration ​

Accessing SSO Management ​

Concepts ​

Managing Catalogs ​

Viewing Catalogs ​

Creating a Catalog ​

Viewing Releases ​

Configuring Providers ​

Creating a Provider ​

Client Types ​

Editing a Provider ​

Enabling and Disabling Providers ​

Deleting a Provider ​

Managing Web Apps ​

Creating a Web App ​

Allowed Scopes ​

Managing Origins ​

Web App States ​

Editing and Deleting Web Apps ​

Configuration Workflow ​

Permissions ​

Related Documentation ​