Authentication settings
In authentication page you can set up secondary authentication systems such as OAuth/LDAP/AD for SelectZero users
General options

Create user on first log in - Users from secondary authentication systems will be created automatically with role 'user' on initial login
Enable OAuth - Enable secondary authentication for OAuth
Enable LDAP/AD - Enable secondary authentication for LDAP/AD

Use OpenID – enable OpenID for OAuth endpoint
Self-signed cert – Force OAuth to validate self-signed certificate from provided certificates
Server URL – URL where current SelectZero deployment is hosted
Auth endpoint – OAuth server authentication endpoint
Token endpoint – OAuth server token endpoint
Client ID – OAuth client ID
Client Secret – OAuth client secret (Can be entered, when key icon is green)
Scope – OAuth authorization scope
Username field – OAuth username field
Display name field – If Create user on first log in is enabled, the value of this attribute from the OAuth user-info response is used as the new user's display name (e.g.
namefor Google,preferred_usernamefor some providers). Leave empty to skip and fall back to the username.

Server – LDAP server, either ldap or ldaps (when using custom port you can include it in the url)
Base DN – LDAP server root distinguished name (If group name has whitespaces then wrap it between quotes e.g. OU=”group name”)
User DN – Optional user DN which will be prepended to base DN for user search
Group DN – Optional group DN which will be prepended to base DN for group search
Group filter – For LDAP we can do additional query to see if user belongs to a certain group. For example:
(&(objectClass=groupOfUniqueNames)(uniqueMember=uid={username},ou=people,dc=selectzero,dc=io)(cn=developers))objectClass - searchable object class 'groupOfUniqueNames'
uniqueMember - LDAP group unique member attribute, where {username} is the placeholder
cn - group where we want to search the member from
Search by – LDAP filter for search user (for example uid)
Name field – If "Create user on first log in" is enabled, we can assign display name from user attribute

Server – AD server, either ldap or ldaps (when using custom port you can include it in the url)
Base DN – AD server root distinguished name (If group name has whitespaces then wrap it between quotes e.g. OU=”group name”)
Group filter – For AD we can include filter with our AD user query for checking user group. For example:
(memberOf=CN=Developers,OU=Groups,DC=selectzero,DC=io)memberOf - group DN to search for
Search by – AD filter for search user (for example sAMAccountName)
Name field – If "Create user on first log in" is enabled, we can assign display name from user attribute
Domain – AD domain
Setting up OAuth providers
Select identity provider below for step-by-step setup and the values to enter in the OAuth tab. First enable OAuth in General options (and Create user on first log in if users should be provisioned automatically on their first login).
Register the application in Google Cloud Console:
Open Google Cloud Console and go to APIs & Services -> Credentials
If you have not configured the OAuth consent screen yet, do so first (choose the user type and set an app name and support email)
Press Create Credentials -> OAuth client ID
Application type –
Web applicationName – an app name for the integration (e.g.
SelectZero)Authorized redirect URIs – add your callback URL, e.g.
https://example.selectzero.com/oauth
Press Create and copy the Client ID and Client secret
Enter these values in the OAuth tab:
Use OpenID – Enabled
Server URL – your SelectZero deployment URL, e.g.
https://example.selectzero.comAuth endpoint –
https://accounts.google.com/o/oauth2/v2/authToken endpoint –
https://oauth2.googleapis.com/tokenClient ID – Client ID from Google Cloud Console
Client Secret – Client secret from Google Cloud Console
Scope –
openid emailUsername field –
emailDisplay name field –
name

Register the application in Okta:
In the Okta Admin Console go to Applications -> Applications and press Create App Integration
Sign-in method –
OIDC - OpenID ConnectApplication type –
Web Application
Configure the application
App integration name – an app name for the integration (e.g.
SelectZero)Sign-in redirect URIs – add your callback URL, e.g.
https://example.selectzero.com/oauthAssignments – choose which users or groups may sign in
Press Save and copy the Client ID and Client secret from the application's General tab
Enter these values in the OAuth tab:
Use OpenID – Enabled
Server URL – your SelectZero deployment URL, e.g.
https://example.selectzero.comAuth endpoint –
https://{yourOktaDomain}/oauth2/v1/authorizeToken endpoint –
https://{yourOktaDomain}/oauth2/v1/tokenClient ID – Client ID from Okta
Client Secret – Client secret from Okta
Scope –
openid emailUsername field –
emailDisplay name field –
name
Replace {yourOktaDomain} with your Okta org domain (e.g. selectzero.okta.com). If you use a custom Okta authorization server, the endpoints include its id, e.g. https://{yourOktaDomain}/oauth2/{authServerId}/v1/authorize.

Microsoft Entra ID (formerly Azure AD) can be used as an OAuth provider for SelectZero logins. Register the application in Microsoft Entra ID:
Log into Azure portal and search for Microsoft Entra ID
Under Manage -> App registrations create a new registration
Name – choose an app name for the integration (e.g.
SelectZero)Supported account types – choose
Accounts in this organizational directory only (Single tenant)Redirect URI – select Web and enter your callback URL, e.g.
https://example.selectzero.com/oauth
Navigate to Manage -> Certificates & secrets
Under Client secrets press New client secret, set a description and expiry
Copy the secret Value immediately (it is shown only once). This is the Client Secret, not the secret ID
Navigate to Overview
Copy the Application (client) ID – this is the Client ID
Copy the Directory (tenant) ID – needed to build the endpoint URLs below
Enter these values in the OAuth tab:
Use OpenID – Enabled (recommended – SelectZero reads the user from the
id_token, so no Microsoft Graph permissions are required)Server URL – your SelectZero deployment URL, e.g.
https://example.selectzero.comAuth endpoint –
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorizeToken endpoint –
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/tokenClient ID – Application (client) ID from the app registration
Client Secret – Client secret Value from Certificates & secrets
Scope –
profile emailUsername field –
preferred_usernameDisplay name field –
name
Replace {tenant-id} with the Directory (tenant) ID from the app registration.

Certificates
In certificates section you can add custom certificates in case any authentications/connections uses TLS/SSL.

Adding a certificate

Press “Add” button under certificates section
Choose a certificate file
Give certificate an alias for distinction
Press “Add new certificate”
Adding an https certificate (Enabling HTTPS for SelectZero)

Press “Add” button under certificates section
Choose a certificate file
Give certificate an alias “https” (which is only used for https enabling. Certificate file has to be either .p12 keystore containing RSA private key or .pem file containing RSA private key and certificate chain)
Insert password if certificate is protected by one
Press “Add new certificate”
Tool will shut down automatically
Manually start SelectZero container/WAR file from server side
Replacing a certificate

Press
button under certificate rowChoose new certificate file
Press “Change certificate”
If you replaced “https” certificate, you should reload settings from “Load settings” button on the same page