Implement SSO with Duende IdentityServer using Hyperstack
What is LoginRadius
LoginRadius is a customer identity platform that makes it easy to add Single Sign-On (SSO) to your applications. It supports standard protocols like SAML and OIDC, allowing users to sign in once and access multiple apps securely.
Integrating LoginRadius with your Hyperstack application helps you:
- Set up enterprise SSO with minimal configuration.
- Manage authentication centrally for all your SaaS environments.
- Improve security without adding complexity to your code.
Key Highlights
- Supports industry-standard protocols like SAML 2.0 and OIDC.
- Works seamlessly with Duende IdentityServer for secure authentication and user federation.
- Integrates quickly with Hyperstack using LoginRadius SDKs and REST APIs.
- Simplifies token handling, session management, and user claim mapping.
- Includes built-in options for MFA, passkeys, and adaptive authentication.
- Offers SCIM provisioning to automatically sync users and groups.
- Provides centralized configuration and policy control through the LoginRadius Admin Console.
- Built for B2B SaaS scale; offers tenant isolation, audit logs, and 99.99% uptime SLAs.
How to Integrate: Step-by-Step Guide
Integrating LoginRadius with Duende IdentityServer allows your Hyperstack application to authenticate users through enterprise identity providers using SAML 2.0 or OIDC.
Once connected, users can log in with their corporate credentials, while LoginRadius manages tokens, sessions, and policy enforcement behind the scenes.
1. Set Up Identity Provider
Create an application in Duende IdentityServer and configure the SAML or OIDC settings. Add the LoginRadius ACS URL, Entity ID, and redirect URIs, then download the IdP metadata.
2. Add Identity Provider to LoginRadius
Go to Authentication → Identity Providers → Custom Identity Providers in the LoginRadius Admin Console. Create a new SAML/OIDC connection and upload the metadata or discovery details from Duende IdentityServer.
3. Integrate LoginRadius with Hyperstack
Use the LoginRadius SDK or REST API for Hyperstack to handle authentication redirects, callbacks, and token validation. Map user claims such as email, name, and groups from Duende IdentityServer to LoginRadius and your app.
4. Test and Deploy
Test the entire authentication flow locally. Once verified, deploy your Hyperstack application and confirm that users can log in through Duende IdentityServer seamlessly.
Troubleshooting & Quick Fixes
- Login Loop After Redirect: Check callback URLs and cookie domain settings.
- 401 Unauthorized or Invalid Token: Verify client ID, issuer, and audience.
- User Assigned but Can’t Log In: Ensure proper user assignment and attribute mapping.
- Missing or Incorrect User Attributes: Verify attribute mappings in both Duende IdentityServer and LoginRadius.
- SAML Certificate or Signature Error: Update or re-upload certificates and reimport metadata after rotation.
- MFA or Passkey Not Triggering: Ensure MFA is enabled and configured correctly.
FAQs
1. Can I use both SAML and OIDC with LoginRadius?
Yes. LoginRadius supports both protocols, and you can run parallel connections for different Duende IdentityServer environments.
2. How do I configure multiple Duende IdentityServer tenants?
Create separate connections in the LoginRadius Admin Console—one per tenant or organization.
3. Do I need to store tokens manually in my Hyperstack app?
No. LoginRadius SDKs and APIs handle token exchange and validation automatically.
4. How do I test SSO locally before deploying?
Use your Hyperstack app’s local environment with the same callback URL registered in LoginRadius.
5. Can LoginRadius enforce MFA after Duende IdentityServer login?
Yes. You can enable step-up MFA in the Admin Console for extra security even after Duende IdentityServer authentication.
6. What if user attributes aren’t syncing correctly?
Check attribute mappings in both Duende IdentityServer and LoginRadius to ensure the correct claim names are used.
7. Does LoginRadius support SCIM provisioning with Duende IdentityServer?
Yes. LoginRadius supports SCIM 2.0 to automatically sync users and groups from Duende IdentityServer.