Data Observability platform Help

Authentication settings

In authentication page you can set up secondary authentication systems such as OAuth/LDAP/AD for SelectZero users

General options

General Options
  • Create user on first log in - Users from secondary authentication systems will be created automatically with role 'user' on initial login

  • Enable OAuth - Enable secondary authentication for OAuth

  • Enable LDAP/AD - Enable secondary authentication for LDAP/AD

OAuth settings
  • Use OpenID – enable OpenID for OAuth endpoint

  • Self-signed cert – Force OAuth to validate self-signed certificate from provided certificates

  • Server URL – URL where current SelectZero deployment is hosted

  • Auth endpoint – OAuth server authentication endpoint

  • Token endpoint – OAuth server token endpoint

  • Client ID – OAuth client ID

  • Client Secret – OAuth client secret (Can be entered, when key icon is green)

  • Scope – OAuth authorization scope

  • Username field – OAuth username field

  • Display name field – If Create user on first log in is enabled, the value of this attribute from the OAuth user-info response is used as the new user's display name (e.g. name for Google, preferred_username for some providers). Leave empty to skip and fall back to the username.

LDAP settings
  • Server – LDAP server, either ldap or ldaps (when using custom port you can include it in the url)

  • Base DN – LDAP server root distinguished name (If group name has whitespaces then wrap it between quotes e.g. OU=”group name”)

  • User DN – Optional user DN which will be prepended to base DN for user search

  • Group DN – Optional group DN which will be prepended to base DN for group search

  • Group filter – For LDAP we can do additional query to see if user belongs to a certain group. For example:

    (&(objectClass=groupOfUniqueNames)(uniqueMember=uid={username},ou=people,dc=selectzero,dc=io)(cn=developers))
    • objectClass - searchable object class 'groupOfUniqueNames'

    • uniqueMember - LDAP group unique member attribute, where {username} is the placeholder

    • cn - group where we want to search the member from

  • Search by – LDAP filter for search user (for example uid)

  • Name field – If "Create user on first log in" is enabled, we can assign display name from user attribute

AD settings
  • Server – AD server, either ldap or ldaps (when using custom port you can include it in the url)

  • Base DN – AD server root distinguished name (If group name has whitespaces then wrap it between quotes e.g. OU=”group name”)

  • Group filter – For AD we can include filter with our AD user query for checking user group. For example:

    (memberOf=CN=Developers,OU=Groups,DC=selectzero,DC=io)
    • memberOf - group DN to search for

  • Search by – AD filter for search user (for example sAMAccountName)

  • Name field – If "Create user on first log in" is enabled, we can assign display name from user attribute

  • Domain – AD domain

Setting up OAuth providers

Select identity provider below for step-by-step setup and the values to enter in the OAuth tab. First enable OAuth in General options (and Create user on first log in if users should be provisioned automatically on their first login).

Register the application in Google Cloud Console:

  1. Open Google Cloud Console and go to APIs & Services -> Credentials

  2. If you have not configured the OAuth consent screen yet, do so first (choose the user type and set an app name and support email)

  3. Press Create Credentials -> OAuth client ID

    • Application typeWeb application

    • Name – an app name for the integration (e.g. SelectZero)

    • Authorized redirect URIs – add your callback URL, e.g. https://example.selectzero.com/oauth

  4. Press Create and copy the Client ID and Client secret

Enter these values in the OAuth tab:

  • Use OpenID – Enabled

  • Server URL – your SelectZero deployment URL, e.g. https://example.selectzero.com

  • Auth endpointhttps://accounts.google.com/o/oauth2/v2/auth

  • Token endpointhttps://oauth2.googleapis.com/token

  • Client ID – Client ID from Google Cloud Console

  • Client Secret – Client secret from Google Cloud Console

  • Scopeopenid email

  • Username fieldemail

  • Display name fieldname

Google OAuth example

Register the application in Okta:

  1. In the Okta Admin Console go to Applications -> Applications and press Create App Integration

    • Sign-in methodOIDC - OpenID Connect

    • Application typeWeb Application

  2. Configure the application

    • App integration name – an app name for the integration (e.g. SelectZero)

    • Sign-in redirect URIs – add your callback URL, e.g. https://example.selectzero.com/oauth

    • Assignments – choose which users or groups may sign in

  3. Press Save and copy the Client ID and Client secret from the application's General tab

Enter these values in the OAuth tab:

  • Use OpenID – Enabled

  • Server URL – your SelectZero deployment URL, e.g. https://example.selectzero.com

  • Auth endpointhttps://{yourOktaDomain}/oauth2/v1/authorize

  • Token endpointhttps://{yourOktaDomain}/oauth2/v1/token

  • Client ID – Client ID from Okta

  • Client Secret – Client secret from Okta

  • Scopeopenid email

  • Username fieldemail

  • Display name fieldname

Replace {yourOktaDomain} with your Okta org domain (e.g. selectzero.okta.com). If you use a custom Okta authorization server, the endpoints include its id, e.g. https://{yourOktaDomain}/oauth2/{authServerId}/v1/authorize.

Okta OAuth example

Microsoft Entra ID (formerly Azure AD) can be used as an OAuth provider for SelectZero logins. Register the application in Microsoft Entra ID:

  1. Log into Azure portal and search for Microsoft Entra ID

  2. Under Manage -> App registrations create a new registration

    • Name – choose an app name for the integration (e.g. SelectZero)

    • Supported account types – choose Accounts in this organizational directory only (Single tenant)

    • Redirect URI – select Web and enter your callback URL, e.g. https://example.selectzero.com/oauth

  3. Navigate to Manage -> Certificates & secrets

    • Under Client secrets press New client secret, set a description and expiry

    • Copy the secret Value immediately (it is shown only once). This is the Client Secret, not the secret ID

  4. Navigate to Overview

    • Copy the Application (client) ID – this is the Client ID

    • Copy the Directory (tenant) ID – needed to build the endpoint URLs below

Enter these values in the OAuth tab:

  • Use OpenID – Enabled (recommended – SelectZero reads the user from the id_token, so no Microsoft Graph permissions are required)

  • Server URL – your SelectZero deployment URL, e.g. https://example.selectzero.com

  • Auth endpointhttps://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize

  • Token endpointhttps://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token

  • Client ID – Application (client) ID from the app registration

  • Client Secret – Client secret Value from Certificates & secrets

  • Scopeprofile email

  • Username fieldpreferred_username

  • Display name fieldname

Replace {tenant-id} with the Directory (tenant) ID from the app registration.

Microsoft Entra ID OAuth example

Certificates

In certificates section you can add custom certificates in case any authentications/connections uses TLS/SSL.

Certificates

Adding a certificate

AddCert
  1. Press “Add” button under certificates section

  2. Choose a certificate file

  3. Give certificate an alias for distinction

  4. Press “Add new certificate”

Adding an https certificate (Enabling HTTPS for SelectZero)

AddCertHttps
  1. Press “Add” button under certificates section

  2. Choose a certificate file

  3. Give certificate an alias “https” (which is only used for https enabling. Certificate file has to be either .p12 keystore containing RSA private key or .pem file containing RSA private key and certificate chain)

  4. Insert password if certificate is protected by one

  5. Press “Add new certificate”

  6. Tool will shut down automatically

  7. Manually start SelectZero container/WAR file from server side

Replacing a certificate

ReplaceCert
  1. Press ReplaceButton button under certificate row

  2. Choose new certificate file

  3. Press “Change certificate”

  4. If you replaced “https” certificate, you should reload settings from “Load settings” button on the same page

18 June 2026